WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
114366
DFG: Negative size for new Array() interpreted as large unsigned int
https://bugs.webkit.org/show_bug.cgi?id=114366
Summary
DFG: Negative size for new Array() interpreted as large unsigned int
Michael Saboff
Reported
2013-04-10 10:55:17 PDT
The DFG generated code treats array sizes as unsigned integers when the computation for an array can produce a negative value. The lint interpreter and baseline JIT appear to work correctly with negative sizes, that is they both throw RangeError exceptions. From <
rdar://problem/12850273
>
Attachments
Patch
(4.08 KB, patch)
2013-04-10 11:59 PDT
,
Michael Saboff
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Michael Saboff
Comment 1
2013-04-10 11:59:31 PDT
Created
attachment 197353
[details]
Patch
Filip Pizlo
Comment 2
2013-04-10 12:06:02 PDT
Comment on
attachment 197353
[details]
Patch r=me too
WebKit Commit Bot
Comment 3
2013-04-10 12:59:48 PDT
Comment on
attachment 197353
[details]
Patch Clearing flags on attachment: 197353 Committed
r148130
: <
http://trac.webkit.org/changeset/148130
>
WebKit Commit Bot
Comment 4
2013-04-10 12:59:49 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 5
2013-04-10 13:04:57 PDT
Is this hot enough that UNLIKELY is needed/helpful?
Michael Saboff
Comment 6
2013-04-11 07:58:16 PDT
(In reply to
comment #5
)
> Is this hot enough that UNLIKELY is needed/helpful?
It makes sense to add UNLIKELY. The case we care about for the bug is when the static_cast<unsigned>(size) >= 100000, but we'll also reach this patch when we can't allocated directly inline and need to get more space. In real world, the failed allocation paths are far more likely. I'll add the UNLIKELY and check it in.
Michael Saboff
Comment 7
2013-04-11 09:19:02 PDT
(In reply to
comment #6
)
> (In reply to
comment #5
) > > Is this hot enough that UNLIKELY is needed/helpful? > > It makes sense to add UNLIKELY. The case we care about for the bug is when the static_cast<unsigned>(size) >= 100000, but we'll also reach this patch when we can't allocated directly inline and need to get more space. In real world, the failed allocation paths are far more likely. > > I'll add the UNLIKELY and check it in.
Landed in change set
r148207
<
http://trac.webkit.org/changeset/148207
>.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug