Changeset 38334 in webkit for trunk/JavaScriptCore

Timestamp:

Nov 12, 2008, 3:31:05 AM (17 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2008-11-12 Gavin Barraclough <​[email protected]>

Reviewed by Cameron Zwarich.

Fix for ​https://bugs.webkit.org/show_bug.cgi?id=22201
Integer conversion in array.length was safe signed values,
but the length is unsigned.

• VM/CTI.cpp: (JSC::CTI::privateCompilePatchGetArrayLength):

LayoutTests:

2008-11-12 Gavin Barraclough <​[email protected]>

Reviewed by Cameron Zwarich.

Test for ​https://bugs.webkit.org/show_bug.cgi?id=22201

• fast/js/pic/cached-array-length-access-expected.txt: Added.
• fast/js/pic/cached-array-length-access.html: Added.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• VM/CTI.cpp (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-11-12  Gavin Barraclough  <[email protected]>
+
+        Reviewed by Cameron Zwarich.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=22201
+        Integer conversion in array.length was safe signed values,
+        but the length is unsigned.
+
+        * VM/CTI.cpp:
+        (JSC::CTI::privateCompilePatchGetArrayLength):
+
 2008-11-12  Cameron Zwarich  <[email protected]>
 

trunk/JavaScriptCore/VM/CTI.cpp

@@ -3428 +3428 @@
     m_jit.movl_mr(OBJECT_OFFSET(ArrayStorage, m_length), X86::ecx, X86::ecx);
 
+    m_jit.cmpl_i32r(JSImmediate::maxImmediateInt, X86::ecx);
+    X86Assembler::JmpSrc failureCases3 = m_jit.emitUnlinkedJa();
+
     m_jit.addl_rr(X86::ecx, X86::ecx);
-    X86Assembler::JmpSrc failureClobberedECX = m_jit.emitUnlinkedJo();
     m_jit.addl_i8r(1, X86::ecx);
-
     X86Assembler::JmpSrc success = m_jit.emitUnlinkedJmp();
-
-    m_jit.link(failureClobberedECX, m_jit.label());
-    m_jit.emitRestoreArgumentReference();
-    X86Assembler::JmpSrc failureCases3 = m_jit.emitUnlinkedJmp();
 
     void* code = m_jit.copy();