Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
authortzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 14 Mar 2020 00:19:24 +0000 (00:19 +0000)
committertzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 14 Mar 2020 00:19:24 +0000 (00:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=208685
<rdar://problem/60115088>

Reviewed by Saam Barati.

In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
to an Unchecked version of the same node.

Thanks to Samuel Groß of Google Project Zero for identifying this bug.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@258452 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGClobberize.h

index 7a1de247ccc13609ecfffd861e2ace7980646a7a..08b14548c2abd309c9f97b8ec7aa6e764917e895 100644 (file)
@@ -1,3 +1,20 @@
+2020-03-13  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
+        https://bugs.webkit.org/show_bug.cgi?id=208685
+        <rdar://problem/60115088>
+
+        Reviewed by Saam Barati.
+
+        In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
+        respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
+        to an Unchecked version of the same node.
+
+        Thanks to Samuel Groß of Google Project Zero for identifying this bug.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2020-03-13  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [Cocoa] Push applicationSDKVersion() down from WebCore into WTF
index b2318fe03aed41e0309587e7df90769cb04e3c49..5b34ec5bd8524c03b39a1b33ba2b2f64b3f563e1 100644 (file)
@@ -228,7 +228,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
 
     case ArithAbs:
         if (node->child1().useKind() == Int32Use || node->child1().useKind() == DoubleRepUse)
-            def(PureValue(node));
+            def(PureValue(node, node->arithMode()));
         else {
             read(World);
             write(Heap);
@@ -248,7 +248,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
         if (node->child1().useKind() == Int32Use
             || node->child1().useKind() == DoubleRepUse
             || node->child1().useKind() == Int52RepUse)
-            def(PureValue(node));
+            def(PureValue(node, node->arithMode()));
         else {
             read(World);
             write(Heap);