[webkit-changes] [WebKit/WebKit] fb4ca5: FTL missing bound check of for-in loop
Yusuke Suzuki
noreply at github.com
Mon May 22 10:10:17 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fb4ca5da0f8e84a9e186efd411a0f14d709de0b4
https://github.com/WebKit/WebKit/commit/fb4ca5da0f8e84a9e186efd411a0f14d709de0b4
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-05-22 (Mon, 22 May 2023)
Changed paths:
A JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
FTL missing bound check of for-in loop
https://bugs.webkit.org/show_bug.cgi?id=252801
rdar://105820083
Reviewed by Michael Saboff.
EnumeratorNextUpdateIndexAndMode for IndexedMode uses HasIndexProperty internally. But
this node does not do bound check when ArrayMode is inBounds in FTL since FTL SSALowering
phase extracts this bound check as a separate CheckInBounds node. But EnumeratorNextUpdateIndexAndMode,
we cannot do that since EnumeratorNextUpdateIndexAndMode's index is incremented internally. Thus,
we need to do bound check inside EnumeratorNextUpdateIndexAndMode when it is not done in HasIndexProperty's
code.
* JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js: Added.
(shouldBe):
(opt):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Originally-landed-as: 259548.377 at safari-7615-branch (25a414a61f3e). rdar://105820083
Canonical link: https://commits.webkit.org/264326@main
More information about the webkit-changes
mailing list