[webkit-changes] [258452] trunk/Source/JavaScriptCore

Fri, 13 Mar 2020 17:19:51 -0700

Title: [258452] trunk/Source/_javascript_Core
Revision
258452
Author
tzaga...@apple.com
Date
2020-03-13 17:19:24 -0700 (Fri, 13 Mar 2020)

Log Message

Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
https://bugs.webkit.org/show_bug.cgi?id=208685
<rdar://problem/60115088>

Reviewed by Saam Barati.

In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
to an Unchecked version of the same node.

Thanks to Samuel Groß of Google Project Zero for identifying this bug.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (258451 => 258452)


--- trunk/Source/_javascript_Core/ChangeLog	2020-03-14 00:05:31 UTC (rev 258451)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-03-14 00:19:24 UTC (rev 258452)
@@ -1,3 +1,20 @@
+2020-03-13  Tadeu Zagallo  <tzaga...@apple.com>
+
+        Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
+        https://bugs.webkit.org/show_bug.cgi?id=208685
+        <rdar://problem/60115088>
+
+        Reviewed by Saam Barati.
+
+        In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
+        respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
+        to an Unchecked version of the same node.
+
+        Thanks to Samuel Groß of Google Project Zero for identifying this bug.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2020-03-13  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         [Cocoa] Push applicationSDKVersion() down from WebCore into WTF

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (258451 => 258452)


--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2020-03-14 00:05:31 UTC (rev 258451)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2020-03-14 00:19:24 UTC (rev 258452)
@@ -228,7 +228,7 @@
 
     case ArithAbs:
         if (node->child1().useKind() == Int32Use || node->child1().useKind() == DoubleRepUse)
-            def(PureValue(node));
+            def(PureValue(node, node->arithMode()));
         else {
             read(World);
             write(Heap);
@@ -248,7 +248,7 @@
         if (node->child1().useKind() == Int32Use
             || node->child1().useKind() == DoubleRepUse
             || node->child1().useKind() == Int52RepUse)
-            def(PureValue(node));
+            def(PureValue(node, node->arithMode()));
         else {
             read(World);
             write(Heap);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to