Changeset 266254 in webkit for trunk/Source/JavaScriptCore


Ignore:
Timestamp:
Aug 27, 2020, 2:16:01 PM (5 years ago)
Author:
[email protected]
Message:

GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
https://bugs.webkit.org/show_bug.cgi?id=215894
<rdar://problem/67669696>

Reviewed by Michael Saboff and Keith Miller.

JSTests:

  • stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added.

Source/JavaScriptCore:

GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
The constant folding for this though was folding to jsUndefined(). I forgot
to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
implementation.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r266251 r266254  
     12020-08-27  Saam Barati  <[email protected]>
     2
     3        GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
     4        https://bugs.webkit.org/show_bug.cgi?id=215894
     5        <rdar://problem/67669696>
     6
     7        Reviewed by Michael Saboff and Keith Miller.
     8
     9        GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
     10        BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
     11        The constant folding for this though was folding to jsUndefined(). I forgot
     12        to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
     13        implementation.
     14
     15        * dfg/DFGAbstractInterpreterInlines.h:
     16        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     17
    1182020-08-27  Keith Miller  <[email protected]>
    219

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r266223 r266254  
    22392239                            m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
    22402240                            m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
    2241                             // Note that Array::Double and Array::Int32 return JSValue if array mode is OutOfBounds.
    2242                             setConstant(node, jsUndefined());
     2241                            if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther))
     2242                                setConstant(node, jsNumber(PNaN));
     2243                            else
     2244                                setConstant(node, jsUndefined());
    22432245                            return true;
    22442246                        }
Note: See TracChangeset for help on using the changeset viewer.