RESOLVED FIXED 196850
[JSC] op_has_indexed_property should not assume subscript part is Uint32 
https://bugs.webkit.org/show_bug.cgi?id=196850
Summary [JSC] op_has_indexed_property should not assume subscript part is Uint32
Yusuke Suzuki
Reported 2019-04-11 21:27:55 PDT
[JSC] op_has_indexed_property should not assume subscript part is Uint32
Attachments
Patch (7.40 KB, patch)
2019-04-11 21:29 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (7.40 KB, patch)
2019-04-11 21:40 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-04-11 21:29:42 PDT
Created attachment 367284 [details] Patch
Yusuke Suzuki
Comment 2 2019-04-11 21:30:29 PDT
<rdar://problem/49726277>
Yusuke Suzuki
Comment 3 2019-04-11 21:40:11 PDT
Created attachment 367286 [details] Patch
Saam Barati
Comment 4 2019-04-11 22:30:25 PDT
Comment on attachment 367286 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=367286&action=review > Source/JavaScriptCore/jit/JITOperations.cpp:2070 > + ASSERT(subscript.asAnyInt() <= UINT32_MAX); Maybe it’s worth a helper function since this is the second time you’re adding this code > Source/JavaScriptCore/jit/JITOperations.cpp:2074 > + uint32_t index = static_cast<uint32_t>(subscript.asAnyInt()); Ditto
Yusuke Suzuki
Comment 5 2019-04-11 22:54:23 PDT
Comment on attachment 367286 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=367286&action=review >> Source/JavaScriptCore/jit/JITOperations.cpp:2070 >> + ASSERT(subscript.asAnyInt() <= UINT32_MAX); > > Maybe it’s worth a helper function since this is the second time you’re adding this code Sounds nice! Like, asUint32AsAnyInt() / isUInt32AsAnyInt().
Yusuke Suzuki
Comment 6 2019-04-11 23:35:21 PDT
Committed r244211: <https://trac.webkit.org/changeset/244211>
Note You need to log in before you can comment on or make changes to this bug.