Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 008ce40466bc0eaed001cf90db4de76edf65dc01
https://github.com/WebKit/WebKit/commit/008ce40466bc0eaed001cf90db4de76edf65dc01
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-26 (Sun, 26 Apr 2026)
Changed paths:
A JSTests/wasm/stress/bounds-check-int32-offset-dirty-high-bits.js
M Source/JavaScriptCore/b3/B3LowerToAir.cpp
Log Message:
-----------
[JSC] OMG should only emit WasmBoundsCheck overflow guard for Int64 pointers
https://bugs.webkit.org/show_bug.cgi?id=313332
Reviewed by Yusuke Suzuki.
311362@main added a 3-arg Air::WasmBoundsCheck that emits a 64-bit
Below(ptrPlusImm, pointer) wrap-around guard. For memory32 the pointer
is an Int32 Tmp whose upper 32 bits are undefined, so the Branch64 can
spuriously jump to the OOB handler in BoundsChecking mode. The sum of a
zero-extended i32 and the offset cannot overflow 64 bits anyway, so
restrict the guard to Int64 pointers.
Test: JSTests/wasm/stress/bounds-check-int32-offset-dirty-high-bits.js
* JSTests/wasm/stress/bounds-check-int32-offset-dirty-high-bits.js: Added.
(async test):
* Source/JavaScriptCore/b3/B3LowerToAir.cpp:
Canonical link: https://commits.webkit.org/312035@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
