[JSC] op_has_indexed_property should not assume subscript part is Uint32
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Apr 2019 06:35:17 +0000 (06:35 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Apr 2019 06:35:17 +0000 (06:35 +0000)
commit715c6489d5d4915179444d0b7a4efcbadf26f998
tree3b815c4042f8717942af14ce77bb41715ae91c8d
parent33ff6eb935db718471c344d73363052b71792b6c
[JSC] op_has_indexed_property should not assume subscript part is Uint32
https://bugs.webkit.org/show_bug.cgi?id=196850

Reviewed by Saam Barati.

JSTests:

* stress/has-indexed-property-should-accept-non-int32.js: Added.
(foo):

Source/JavaScriptCore:

op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.

* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_has_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_has_indexed_property):
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244211 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/has-indexed-property-should-accept-non-int32.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/JSCJSValue.h
Source/JavaScriptCore/runtime/JSCJSValueInlines.h
Source/JavaScriptCore/runtime/JSGlobalObject.cpp