Cherry-pick 271580@main (ab0808f). https://bugs.webkit.org/show_bug.c…

…gi?id=265730 Fix nullptr deref in B3::ReduceStrength's handling of Trunc for double constants. https://bugs.webkit.org/show_bug.cgi?id=265730 rdar://116459635 Reviewed by Yusuke Suzuki. We cannot run asInt64() on a ConstDoubleValue. This patch fixes this by handling ConstDoubleValue separately and running asDouble() on it instead. * Source/JavaScriptCore/b3/B3ReduceStrength.cpp: Canonical link: https://commits.webkit.org/271580@main
WebKit · Dec 15, 2023 · a5a3b71 · a5a3b71
1 parent 2fea3c3
commit a5a3b71
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 6 deletions.
diff --git a/Source/JavaScriptCore/b3/B3ReduceStrength.cpp b/Source/JavaScriptCore/b3/B3ReduceStrength.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1981,11 +1981,18 @@ class ReduceStrength {
             break;
 
         case Trunc:
-            // Turn this: Trunc(constant)
-            // Into this: static_cast<int32_t>(constant)
-            if (m_value->child(0)->hasInt64() || m_value->child(0)->hasDouble()) {
-                replaceWithNewValue(
-                    m_proc.addIntConstant(m_value, static_cast<int32_t>(m_value->child(0)->asInt64())));
+            // Turn this: Trunc(int64Constant)
+            // Into this: static_cast<int32_t>(int64Constant)
+            if (m_value->child(0)->hasInt64()) {
+                replaceWithNewValue(m_proc.addIntConstant(m_value, static_cast<int32_t>(m_value->child(0)->asInt64())));
+                break;
+            }
+
+            // Turn this: Trunc(doubleConstant)
+            // Into this: bitwise_cast<float>(static_cast<int32_t>(bitwise_cast<int64_t>(doubleConstant)))
+            if (m_value->child(0)->hasDouble()) {
+                double value = m_value->child(0)->asDouble();
+                replaceWithNewValue(m_proc.addConstant(m_value->origin(), m_value->type(), bitwise_cast<int64_t>(value)));
                 break;
             }
 

diff --git a/Source/JavaScriptCore/b3/testb3.h b/Source/JavaScriptCore/b3/testb3.h
@@ -1072,6 +1072,8 @@ void testAddShl32();
 void testAddShl64();
 void testAddShl65();
 void testReduceStrengthReassociation(bool flip);
+void testReduceStrengthTruncInt64Constant(int64_t filler, int32_t value);
+void testReduceStrengthTruncDoubleConstant(double filler, float value);
 void testLoadBaseIndexShift2();
 void testLoadBaseIndexShift32();
 void testOptimizeMaterialization();

diff --git a/Source/JavaScriptCore/b3/testb3_1.cpp b/Source/JavaScriptCore/b3/testb3_1.cpp
@@ -786,6 +786,8 @@ void run(const TestConfig* config)
     RUN(testPinRegisters());
     RUN(testReduceStrengthReassociation(true));
     RUN(testReduceStrengthReassociation(false));
+    RUN_BINARY(testReduceStrengthTruncInt64Constant, int64Operands(), int32Operands());
+    RUN_BINARY(testReduceStrengthTruncDoubleConstant, floatingPointOperands<double>(), floatingPointOperands<float>());
     RUN(testAddShl32());
     RUN(testAddShl64());
     RUN(testAddShl65());

diff --git a/Source/JavaScriptCore/b3/testb3_7.cpp b/Source/JavaScriptCore/b3/testb3_7.cpp
@@ -380,6 +380,43 @@ void testReduceStrengthReassociation(bool flip)
         (root->last()->child(0)->child(0)->child(0) == arg2 && root->last()->child(0)->child(0)->child(1) == arg1));
 }
 
+template<typename B3ContType, typename Type64, typename Type32>
+void testReduceStrengthTruncConstant(Type64 filler, Type32 value)
+{
+    Procedure proc;
+    BasicBlock* root = proc.addBlock();
+
+    int64_t bits = bitwise_cast<int64_t>(filler);
+    int32_t loBits = bitwise_cast<int32_t>(value);
+    bits = ((bits >> 32) << 32) | loBits;
+    Type64 testValue = bitwise_cast<Type64>(bits);
+
+    Value* b2  = root->appendNew<B3ContType>(proc, Origin(), testValue);
+    Value* b3  = root->appendNew<Value>(proc, JSC::B3::Trunc, Origin(), b2);
+    root->appendNew<Value>(proc, Return, Origin(), b3);
+
+    proc.resetReachability();
+
+    reduceStrength(proc);
+
+    CHECK_EQ(root->last()->opcode(), Return);
+    if constexpr (std::is_same_v<B3ContType, ConstDoubleValue>) {
+        CHECK_EQ(root->last()->child(0)->opcode(), ConstFloat);
+        CHECK(bitwise_cast<int32_t>(root->last()->child(0)->asFloat()) == bitwise_cast<int32_t>(value));
+    } else
+        CHECK(root->last()->child(0)->isInt32(value));
+}
+
+void testReduceStrengthTruncInt64Constant(int64_t filler, int32_t value)
+{
+    testReduceStrengthTruncConstant<Const64Value>(filler, value);
+}
+
+void testReduceStrengthTruncDoubleConstant(double filler, float value)
+{
+    testReduceStrengthTruncConstant<ConstDoubleValue>(filler, value);
+}
+
 void testLoadBaseIndexShift2()
 {
     Procedure proc;