[JSC] to_index_string should not assume incoming value is Uint32
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 Apr 2019 23:33:05 +0000 (23:33 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 Apr 2019 23:33:05 +0000 (23:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196713

Reviewed by Saam Barati.

JSTests:

* stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
(foo):

Source/JavaScriptCore:

The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
this assumption since DFG may decide we should have it double format. This patch removes this
assumption, and instead, we should assume that incoming value is AnyInt and the range of this
is within Uint32.

* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244057 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

index cd7d9d0..98cb0d1 100644 (file)
@@ -1,5 +1,15 @@
 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
 
+        [JSC] to_index_string should not assume incoming value is Uint32
+        https://bugs.webkit.org/show_bug.cgi?id=196713
+
+        Reviewed by Saam Barati.
+
+        * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
+        (foo):
+
+2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
+
         [JSC] Add more tests for r243966
         https://bugs.webkit.org/show_bug.cgi?id=196711
 
diff --git a/JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js b/JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js
new file mode 100644 (file)
index 0000000..5c8b25a
--- /dev/null
@@ -0,0 +1,13 @@
+//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useRandomizingFuzzerAgent=1")
+
+function foo() {
+    for (var x in ['a', 'b']) {
+        if (x === '') {
+            break;
+        }
+    }
+    return false && Object.prototype.hasOwnProperty
+}
+
+for (var i = 0; i < 10000; ++i)
+    foo();
index e8e13ae..637e3a9 100644 (file)
@@ -1,3 +1,18 @@
+2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] to_index_string should not assume incoming value is Uint32
+        https://bugs.webkit.org/show_bug.cgi?id=196713
+
+        Reviewed by Saam Barati.
+
+        The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
+        this assumption since DFG may decide we should have it double format. This patch removes this
+        assumption, and instead, we should assume that incoming value is AnyInt and the range of this
+        is within Uint32.
+
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2019-04-08  Justin Fan  <justin_fan@apple.com>
 
         [Web GPU] Fix Web GPU experimental feature on iOS
index 043baad..59cb50f 100644 (file)
@@ -995,7 +995,12 @@ SLOW_PATH_DECL(slow_path_to_index_string)
 {
     BEGIN();
     auto bytecode = pc->as<OpToIndexString>();
-    RETURN(jsString(exec, Identifier::from(exec, GET(bytecode.m_index).jsValue().asUInt32()).string()));
+    JSValue indexValue = GET(bytecode.m_index).jsValue();
+    ASSERT(indexValue.isAnyInt());
+    ASSERT(indexValue.asAnyInt() <= UINT32_MAX);
+    ASSERT(indexValue.asAnyInt() >= 0);
+    uint32_t index = static_cast<uint32_t>(indexValue.asAnyInt());
+    RETURN(jsString(exec, Identifier::from(exec, index).string()));
 }
 
 SLOW_PATH_DECL(slow_path_profile_type_clear_log)