Bug 196850

Summary: [JSC] op_has_indexed_property should not assume subscript part is Uint32
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch saam: review+

Description Yusuke Suzuki 2019-04-11 21:27:55 PDT 
[JSC] op_has_indexed_property should not assume subscript part is Uint32
Comment 1 Yusuke Suzuki 2019-04-11 21:29:42 PDT 
Created attachment 367284 [details]
Patch
Comment 2 Yusuke Suzuki 2019-04-11 21:30:29 PDT 
<rdar://problem/49726277>
Comment 3 Yusuke Suzuki 2019-04-11 21:40:11 PDT 
Created attachment 367286 [details]
Patch
Comment 4 Saam Barati 2019-04-11 22:30:25 PDT 
Comment on attachment 367286 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=367286&action=review

> Source/JavaScriptCore/jit/JITOperations.cpp:2070
> +    ASSERT(subscript.asAnyInt() <= UINT32_MAX);

Maybe it’s worth a helper function since this is the second time you’re adding this code

> Source/JavaScriptCore/jit/JITOperations.cpp:2074
> +    uint32_t index = static_cast<uint32_t>(subscript.asAnyInt());

Ditto
Comment 5 Yusuke Suzuki 2019-04-11 22:54:23 PDT 
Comment on attachment 367286 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=367286&action=review

>> Source/JavaScriptCore/jit/JITOperations.cpp:2070
>> +    ASSERT(subscript.asAnyInt() <= UINT32_MAX);
> 
> Maybe it’s worth a helper function since this is the second time you’re adding this code

Sounds nice! Like, asUint32AsAnyInt() / isUInt32AsAnyInt().
Comment 6 Yusuke Suzuki 2019-04-11 23:35:21 PDT 
Committed r244211: <https://trac.webkit.org/changeset/244211>