[webkit-changes] [WebKit/WebKit] 73a98d: TypedArray OutOfBounds gets ArrayModes need to rep...

Keith Miller noreply at github.com
Fri Dec 13 11:54:26 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 73a98da7fb81b965b76a7e5ee474a0a89936e5ea
      https://github.com/WebKit/WebKit/commit/73a98da7fb81b965b76a7e5ee474a0a89936e5ea
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-12-13 (Fri, 13 Dec 2024)

  Changed paths:
    A JSTests/stress/put-by-val-alias-out-of-bounds.js
    M Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
    M Source/JavaScriptCore/dfg/DFGHeapLocation.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  TypedArray OutOfBounds gets ArrayModes need to report this to `def`
https://bugs.webkit.org/show_bug.cgi?id=282450
rdar://138178696

Reviewed by Yusuke Suzuki.

Now that TypedArrays don't force an OSR exit on an out of bounds access we could
incorrectly convert a PutByVal to a PutByValAlias. In particular, if we have something
like:

```
 18  1 28:   D at 69:<!3:->    GetByVal(KnownCell:D at 49, Int32:D at 64, Check:Untyped:D at 139, JS|MustGen|VarArgs|PureInt|UseAsInt, BoolInt32|NonBoolInt32|Other, Int32Array+OriginalNonArray+OutOfBounds+AsIs+Read, R:TypedArrayProperties,MiscFields, Exits, bc#60, ExitValid)  predicting BoolInt32|Other
 19  1 28:   D at 70:<!0:->    MovHint(Check:Untyped:D at 69, MustGen, loc9, W:SideState, ClobbersExit, bc#60, ExitInvalid)
 20  1 28:   D at 72:< 1:->    JSConstant(JS|PureInt|UseAsInt, NonBoolInt32, Int32: 65535, bc#66, ExitValid)
 21  1 28:  D at 140:< 1:->    ValueToInt32(NotCellNorBigInt:D at 69, Int32|PureInt|UseAsInt, Int32, Exits, bc#66, ExitValid)
 22  1 28:   D at 73:< 2:->    ArithBitAnd(KnownInt32:D at 140, Int32:D at 72, Int32|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Int32, Exits, bc#66, ExitValid)
 23  1 28:   D at 86:<!0:->    Phantom(Check:Untyped:D at 69, MustGen, bc#66, ExitValid)
 24  1 28:   D at 74:<!0:->    MovHint(Check:Untyped:D at 73, MustGen, loc9, W:SideState, ClobbersExit, bc#66, ExitInvalid)
 25  1 28:   D at 76:<!0:->    PutByVal(KnownCell:D at 49, Int32:D at 64, Int32:D at 73, Check:Untyped:D at 139, MustGen|VarArgs, Int32Array+OriginalNonArray+InBounds+AsIs+Write, R:MiscFields, W:TypedArrayProperties, Exits, ClobbersExit, bc#72, ExitValid)
 ```

The above PutByVal will be converted to a PutByValAlias since it appears to `def` write the same HeapLocation `GetByVal` says it defs.
TypedArrays should now report that the HeapLocation they're writing to is OutOfBoundsSaneChain. We don't have to actually check the
prototype chain for typed arrays since they don't consult it for indexed properties.

* JSTests/stress/put-by-val-alias-out-of-bounds.js: Added.
(test):
* Source/JavaScriptCore/dfg/DFGCSEPhase.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
(WTF::printInternal): Deleted.
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
(JSC::DFG::indexedPropertyLocToOutOfBoundsSaneChain):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):

Originally-landed-as: 283286.410 at safari-7620-branch (903f38de509c). rdar://141317752
Canonical link: https://commits.webkit.org/287805@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list