Cherry-pick 259548.763@safari-7615-branch (62d974e). https://bugs.web…

…kit.org/show_bug.cgi?id=256865 [JSC] GetTypedArrayByteOffset should do speculation check for all bits in DFG https://bugs.webkit.org/show_bug.cgi?id=256865 rdar://109428505 Reviewed by Yusuke Suzuki. DFG abstract interpreter speculates that GetTypedArrayByteOffset node should have int32 result. However, when compiling GetTypedArrayByteOffset we only do speculation check on lower bits of the result, which is wrong. This patch fixes this problem. * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp: Canonical link: https://commits.webkit.org/259548.763@safari-7615-branch
WebKit · Jul 28, 2023 · ef65ba5 · ef65ba5
1 parent 42bc82e
commit ef65ba5
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/JSTests/stress/regress-109102631.js b/JSTests/stress/regress-109102631.js
@@ -0,0 +1,23 @@
+function main() {
+    const buffer = new ArrayBuffer(4294967296);
+
+    const arr = new Uint8ClampedArray(buffer, 50)
+    const arr2 = new Uint8ClampedArray(buffer, 4294967296)
+
+    function opt(a, marr) {
+        return marr[a.byteOffset]
+    }
+
+    const marr = []
+    for (let i = 0; i < 1000; i++) {
+        marr.push(3)
+    }
+
+    for (let i = 0; i < 14; i++) {
+        opt(arr, marr)
+    }
+    print(opt(arr2, marr))
+}
+noDFG(main);
+noFTL(main);
+main();
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -8828,7 +8828,7 @@ void SpeculativeJIT::compileGetTypedArrayByteOffset(Node* node)
 #if USE(LARGE_TYPED_ARRAYS)
         load64(Address(baseGPR, JSArrayBufferView::offsetOfByteOffset()), resultGPR);
         // AI promises that the result of GetTypedArrayByteOffset will be Int32, so we must uphold that promise here.
-        speculationCheck(ExitKind::Overflow, JSValueRegs(), nullptr, branch32(Above, resultGPR, TrustedImm32(std::numeric_limits<int32_t>::max())));
+        speculationCheck(ExitKind::Overflow, JSValueRegs(), nullptr, branch64(Above, resultGPR, TrustedImm32(std::numeric_limits<int32_t>::max())));
 #else
         load32(Address(baseGPR, JSArrayBufferView::offsetOfByteOffset()), resultGPR);
 #endif
@@ -8854,7 +8854,7 @@ void SpeculativeJIT::compileGetTypedArrayByteOffset(Node* node)
 #if USE(LARGE_TYPED_ARRAYS)
     load64(Address(baseGPR, JSArrayBufferView::offsetOfByteOffset()), resultGPR);
     // AI promises that the result of GetTypedArrayByteOffset will be Int32, so we must uphold that promise here.
-    speculationCheck(ExitKind::Overflow, JSValueRegs(), nullptr, branch32(Above, resultGPR, TrustedImm32(std::numeric_limits<int32_t>::max())));
+    speculationCheck(ExitKind::Overflow, JSValueRegs(), nullptr, branch64(Above, resultGPR, TrustedImm32(std::numeric_limits<int32_t>::max())));
 #else
     load32(Address(baseGPR, JSArrayBufferView::offsetOfByteOffset()), resultGPR);
 #endif