Changeset 172282 in webkit for trunk/Source/JavaScriptCore/dfg


Ignore:
Timestamp:
Aug 7, 2014, 3:08:19 PM (11 years ago)
Author:
[email protected]
Message:

SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
https://bugs.webkit.org/show_bug.cgi?id=135722

Reviewed by Filip Pizlo.

We should be using SpeculateStrictInt32Operand instead.

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r172176 r172282  
    47224722    case HasIndexedProperty: {
    47234723        SpeculateCellOperand base(this, node->child1());
    4724         SpeculateInt32Operand index(this, node->child2());
     4724        SpeculateStrictInt32Operand index(this, node->child2());
    47254725        GPRResult result(this);
    47264726
     
    48074807        SpeculateCellOperand base(this, baseEdge);
    48084808        SpeculateCellOperand property(this, propertyEdge);
    4809         SpeculateInt32Operand index(this, indexEdge);
     4809        SpeculateStrictInt32Operand index(this, indexEdge);
    48104810        SpeculateCellOperand enumerator(this, enumeratorEdge);
    48114811        GPRResult result(this);
     
    48774877    case GetEnumeratorPname: {
    48784878        SpeculateCellOperand enumerator(this, node->child1());
    4879         SpeculateInt32Operand index(this, node->child2());
     4879        SpeculateStrictInt32Operand index(this, node->child2());
    48804880        GPRTemporary scratch1(this);
    4881         GPRTemporary scratch2(this);
    48824881        GPRResult result(this);
    48834882
     
    48854884        GPRReg indexGPR = index.gpr();
    48864885        GPRReg scratch1GPR = scratch1.gpr();
    4887         GPRReg scratch2GPR = scratch2.gpr();
    48884886        GPRReg resultGPR = result.gpr();
    48894887
     
    48974895
    48984896        m_jit.loadPtr(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), scratch1GPR);
    4899         m_jit.move(indexGPR, scratch2GPR);
    4900         m_jit.signExtend32ToPtr(scratch2GPR, scratch2GPR);
    4901         m_jit.load64(MacroAssembler::BaseIndex(scratch1GPR, scratch2GPR, MacroAssembler::TimesEight), resultGPR);
     4897        m_jit.load64(MacroAssembler::BaseIndex(scratch1GPR, indexGPR, MacroAssembler::TimesEight), resultGPR);
    49024898
    49034899        done.link(&m_jit);
Note: See TracChangeset for help on using the changeset viewer.