[webkit-reviews] review granted: [Bug 196631] [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode : [Attachment 366788] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 4 19:18:03 PDT 2019
Saam Barati <sbarati at apple.com> has granted Yusuke Suzuki <ysuzuki at apple.com>'s
request for review:
Bug 196631: [JSC] makeBoundFunction should not assume incoming "length" value
is Int32 because it performs some calculation in bytecode
https://bugs.webkit.org/show_bug.cgi?id=196631
Attachment 366788: Patch
https://bugs.webkit.org/attachment.cgi?id=366788&action=review
--- Comment #13 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 366788
--> https://bugs.webkit.org/attachment.cgi?id=366788
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=366788&action=review
r=me
> Source/JavaScriptCore/runtime/JSGlobalObject.cpp:251
> + int32_t length = lengthValue.toInt32(exec);
Should assert it's a number. Maybe even isAnyInt and that it's within 32-bits?
> Source/JavaScriptCore/runtime/JSGlobalObject.cpp:252
> + RETURN_IF_EXCEPTION(scope, { });
Should be an assert.
> JSTests/stress/make-bound-function-should-not-assume-int32-length.js:1
> +//@ runDefault("--useDoublePredictionFuzzerAgent=1")
maybe also concurrentJIT=0 to ensure we JIT?
More information about the webkit-reviews
mailing list