Context Navigation

← Previous Changeset
Next Changeset →

Changeset 260522 in webkit

Timestamp:

Apr 22, 2020 11:12:34 AM (4 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] JSBigInt inc operation does not produce right HeapBigInt zero
https://bugs.webkit.org/show_bug.cgi?id=210860

Reviewed by Mark Lam.

JSTests:

stress/bigint-zero-canonicalized.js: Added.

(shouldBe):

Source/JavaScriptCore:

JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt.
This patch fixes it by checking zero status before setting setSign(true).

runtime/JSBigInt.cpp:

(JSC::JSBigInt::inc):

runtime/JSCJSValue.cpp:

(JSC::JSValue::dumpInContextAssumingStructure const):

Location:

trunk

Files:

: 1 added
: 4 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/bigint-zero-canonicalized.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/JSBigInt.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/JSCJSValue.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r260517
+                      r260522
+-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
+        [JSC] JSBigInt inc operation does not produce right HeapBigInt zero
+        https://bugs.webkit.org/show_bug.cgi?id=210860
+        Reviewed by Mark Lam.
+        * stress/bigint-zero-canonicalized.js: Added.
+        (shouldBe):
 -04-22  Saam Barati  <sbarati@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r260520
+                      r260522
+-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
+        [JSC] JSBigInt inc operation does not produce right HeapBigInt zero
+        https://bugs.webkit.org/show_bug.cgi?id=210860
+        Reviewed by Mark Lam.
+        JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt.
+        This patch fixes it by checking zero status before setting `setSign(true)`.
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::inc):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::dumpInContextAssumingStructure const):
 -04-22  Devin Rousso  <drousso@apple.com>

trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp

r260358	r260522
447	447	return absoluteAddOne(globalObject, x, SignOption::Unsigned);
448	448	JSBigInt* result = absoluteSubOne(globalObject, x, x->length());
	449	if (result->isZero())
	450	return result;
449	451	result->setSign(true);
450	452	return result;

trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp

r260331	r260522
313	313	out.print("Structure: ", inContext(jsCast<Structure>(asCell()), context));
314	314	else if (isHeapBigInt())
315		out.print("BigInt[heap-allocated]: addr=", RawPointer(asCell()));
	315	out.print("BigInt[heap-allocated]: addr=", RawPointer(asCell()), ", length=", jsCast<JSBigInt>(asCell())->length(), ", sign=", jsCast<JSBigInt>(asCell())->sign());
316	316	else if (structure->classInfo()->isSubClassOf(JSObject::info())) {
317	317	out.print("Object: ", RawPointer(asCell()));

Note: See TracChangeset for help on using the changeset viewer.