[webkit-changes] [WebKit/WebKit] fb4ca5: FTL missing bound check of for-in loop

Yusuke Suzuki Mon, 22 May 2023 10:10:28 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fb4ca5da0f8e84a9e186efd411a0f14d709de0b4
      
https://github.com/WebKit/WebKit/commit/fb4ca5da0f8e84a9e186efd411a0f14d709de0b4
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2023-05-22 (Mon, 22 May 2023)


  Changed paths:
    A 
JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  FTL missing bound check of for-in loop
https://bugs.webkit.org/show_bug.cgi?id=252801
rdar://105820083

Reviewed by Michael Saboff.

EnumeratorNextUpdateIndexAndMode for IndexedMode uses HasIndexProperty 
internally. But
this node does not do bound check when ArrayMode is inBounds in FTL since FTL 
SSALowering
phase extracts this bound check as a separate CheckInBounds node. But 
EnumeratorNextUpdateIndexAndMode,
we cannot do that since EnumeratorNextUpdateIndexAndMode's index is incremented 
internally. Thus,
we need to do bound check inside EnumeratorNextUpdateIndexAndMode when it is 
not done in HasIndexProperty's
code.

* JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js: 
Added.
(shouldBe):
(opt):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

Originally-landed-as: 259548.377@safari-7615-branch (25a414a61f3e). 
rdar://105820083
Canonical link: https://commits.webkit.org/264326@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [WebKit/WebKit] fb4ca5: FTL missing bound check of for-in loop

Reply via email to