Summary: | FTL's compileGetTypedArrayByteOffset needs to do caging | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> | ||||||
Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | ggaren, jfbastien, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer, ysuzuki | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Bug Depends on: | |||||||||
Bug Blocks: | 174917 | ||||||||
Attachments: |
|
Description
Filip Pizlo
2017-08-08 22:08:17 PDT
Created attachment 317998 [details]
maybe the patch
Created attachment 317999 [details]
the patch
Comment on attachment 317999 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=317999&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:11653 > + LBasicBlock lastNext = m_out.insertNewBlocksBefore(notNull); Why this instead of relying on the result of appendTo below? (In reply to Saam Barati from comment #3) > Comment on attachment 317999 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=317999&action=review > > > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:11653 > > + LBasicBlock lastNext = m_out.insertNewBlocksBefore(notNull); > > Why this instead of relying on the result of appendTo below? That way, the code that we insert at the end of the current block will do the right thing if it also contains a control flow diamond. Using the result of appendTo() is only safe if you are absolutely sure that none of the things you did before newBlock and appendTo added any other blocks. Therefore, although I used to use the result of appendTo() a lot, I don't think it's actually safe. |