Changeset 245769 in webkit
- Timestamp:
- May 25, 2019 2:25:25 AM (5 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r245765 r245769 1 2019-05-25 Tadeu Zagallo <tzagallo@apple.com> 2 3 JITOperations getByVal should mark negative array indices as out-of-bounds 4 https://bugs.webkit.org/show_bug.cgi?id=198229 5 6 Reviewed by Saam Barati. 7 8 * microbenchmarks/get-by-val-negative-array-index.js: Added. 9 (foo): 10 1 11 2019-05-24 Justin Michaud <justin_michaud@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r245765 r245769 1 2019-05-25 Tadeu Zagallo <tzagallo@apple.com> 2 3 JITOperations getByVal should mark negative array indices as out-of-bounds 4 https://bugs.webkit.org/show_bug.cgi?id=198229 5 6 Reviewed by Saam Barati. 7 8 get_by_val with an array or string as base value and a negative index causes DFG to OSR exit, 9 but baseline doesn't mark it as out-of-bounds, since it only considers positive indices. This 10 leads to discarding DFG code, recompiling it and exiting at the same bytecode. 11 12 This is observed in the prepack-wtb subtest of JetStream2. In popContext#CdOhFJ, the last item 13 of the array popped and the new last value is accessed using `array[array.length - 1]`, which 14 is -1 when the array is empty. It shows a ~0.5% progression in JetStream2, but it's within the 15 noise. 16 17 * jit/JITOperations.cpp: 18 (JSC::getByVal): 19 1 20 2019-05-24 Justin Michaud <justin_michaud@apple.com> 2 21 -
trunk/Source/JavaScriptCore/jit/JITOperations.cpp
r245658 r245769 1851 1851 } 1852 1852 1853 if (subscript.is UInt32()) {1853 if (subscript.isInt32()) { 1854 1854 ASSERT(exec->bytecodeOffset()); 1855 1855 byValInfo->tookSlowPath = true; 1856 1856 1857 uint32_t i = subscript.asUInt32();1857 int32_t i = subscript.asInt32(); 1858 1858 if (isJSString(baseValue)) { 1859 if ( asString(baseValue)->canGetIndex(i)) {1859 if (i >= 0 && asString(baseValue)->canGetIndex(i)) { 1860 1860 ctiPatchCallByReturnAddress(returnAddress, operationGetByValString); 1861 1861 RELEASE_AND_RETURN(scope, asString(baseValue)->getIndex(exec, i)); … … 1869 1869 bool skipMarkingOutOfBounds = false; 1870 1870 1871 if (object->indexingType() == ArrayWithContiguous && i < object->butterfly()->publicLength()) {1871 if (object->indexingType() == ArrayWithContiguous && i >= 0 && static_cast<uint32_t>(i) < object->butterfly()->publicLength()) { 1872 1872 // FIXME: expand this to ArrayStorage, Int32, and maybe Double: 1873 1873 // https://bugs.webkit.org/show_bug.cgi?id=182940 … … 1884 1884 } 1885 1885 1886 RELEASE_AND_RETURN(scope, baseValue.get(exec, i)); 1886 if (i >= 0) 1887 RELEASE_AND_RETURN(scope, baseValue.get(exec, static_cast<uint32_t>(i))); 1887 1888 } 1888 1889
Note: See TracChangeset
for help on using the changeset viewer.