Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge r246071 - Argument elimination should check for negative indice…
…s in GetByVal https://bugs.webkit.org/show_bug.cgi?id=198302 <rdar://problem/51188095> Reviewed by Filip Pizlo. JSTests: * stress/eliminate-arguments-negative-rest-access.js: Added. (inlinee): (opt): Source/JavaScriptCore: In DFG::ArgumentEliminationPhase, the index is treated as unsigned, but there's no check for overflow in the addition. In compileGetMyArgumentByVal, there's a check for overflow, but the index is treated as signed, resulting in an index lower than numberOfArgumentsToSkip. * dfg/DFGArgumentsEliminationPhase.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
- Loading branch information
1 parent
0f65eba
commit e93ef11
Showing
5 changed files
with
51 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
JSTests/stress/eliminate-arguments-negative-rest-access.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
//@ requireOptions("--forceEagerCompilation=1") | ||
|
||
function inlinee(index, value, ...rest) { | ||
return rest[index | 0]; | ||
} | ||
|
||
function opt() { | ||
return inlinee(-1, 0x1234); | ||
} | ||
noInline(opt); | ||
|
||
for (let i = 0; i < 1e6; i++) { | ||
const value = opt(); | ||
if (value !== undefined) | ||
throw new Error(`${i}: ${value}`); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters