[webkit-changes] [284585] trunk/Source/JavaScriptCore

[ysuzuki]

Title: [284585] trunk/Source/_javascript_Core

Revision

284585

Author

ysuz...@apple.com

Date

2021-10-20 17:00:20 -0700 (Wed, 20 Oct 2021)

Log Message

[JSC] ArithAbs should care about INT32_MIN
https://bugs.webkit.org/show_bug.cgi?id=232051
rdar://84338648

Reviewed by Michael Saboff.

ArithAbs (without overflow check) can return negative value if the input is INT32_MIN with Int32Use.

* dfg/DFGIntegerRangeOptimizationPhase.cpp:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (284584 => 284585)

--- trunk/Source/_javascript_Core/ChangeLog	2021-10-20 23:51:58 UTC (rev 284584)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-10-21 00:00:20 UTC (rev 284585)
@@ -1,3 +1,15 @@
+2021-10-20  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] ArithAbs should care about INT32_MIN
+        https://bugs.webkit.org/show_bug.cgi?id=232051
+        rdar://84338648
+
+        Reviewed by Michael Saboff.
+
+        ArithAbs (without overflow check) can return negative value if the input is INT32_MIN with Int32Use.
+
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+
 2021-10-20  Justin Michaud  <justin_mich...@apple.com>
 
         We should watch isHavingABadTime if we read from the structureCache

Modified: trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp (284584 => 284585)

--- trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp	2021-10-20 23:51:58 UTC (rev 284584)
+++ trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp	2021-10-21 00:00:20 UTC (rev 284585)
@@ -1400,7 +1400,25 @@
         case ArithAbs: {
             if (node->child1().useKind() != Int32Use)
                 break;
-            setRelationship(Relationship(node, m_zero, Relationship::GreaterThan, -1));
+
+            // If ArithAbs cares about overflow, then INT32_MIN input will cause OSR exit.
+            // Thus we can safely say `x >= 0`.
+            if (shouldCheckOverflow(node->arithMode())) {
+                setRelationship(Relationship(node, m_zero, Relationship::GreaterThan, -1));
+                break;
+            }
+
+            // If ArithAbs does not care about overflow, it can return INT32_MIN if the input is INT32_MIN.
+            // If minValue is not INT32_MIN, we can still say it is `x >= 0`.
+            int minValue = std::numeric_limits<int>::min();
+            auto iter = m_relationships.find(node->child1().node());
+            if (iter != m_relationships.end()) {
+                for (Relationship relationship : iter->value)
+                    minValue = std::max(minValue, relationship.minValueOfLeft());
+            }
+
+            if (minValue > std::numeric_limits<int>::min())
+                setRelationship(Relationship(node, m_zero, Relationship::GreaterThan, -1));
             break;
         }
             

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes