[webkit-changes] [WebKit/WebKit] 68133d: [JSC] GetTypedArrayByteOffset should do speculatio...
Commit Queue
noreply at github.com
Mon Aug 7 09:57:36 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 68133dd90f053165d8d12d975bc01c164faf05dd
https://github.com/WebKit/WebKit/commit/68133dd90f053165d8d12d975bc01c164faf05dd
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-08-07 (Mon, 07 Aug 2023)
Changed paths:
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
[JSC] GetTypedArrayByteOffset should do speculation check for all bits in DFG
https://bugs.webkit.org/show_bug.cgi?id=256865
rdar://109428505
Reviewed by Yusuke Suzuki.
DFG abstract interpreter speculates that GetTypedArrayByteOffset node
should have int32 result. However, when compiling GetTypedArrayByteOffset
we only do speculation check on lower bits of the result, which is wrong.
This patch fixes this problem.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Originally-landed-as: 259548.763 at safari-7615-branch (62d974e46170). rdar://113502667
Canonical link: https://commits.webkit.org/266639@main
More information about the webkit-changes
mailing list