231935 – DFGSSALoweringPhase.cpp can create a GetTypedArrayLengthAsInt52 with the wrong return type

RESOLVED DUPLICATE of bug 232059 231935

DFGSSALoweringPhase.cpp can create a GetTypedArrayLengthAsInt52 with the wrong return type

https://bugs.webkit.org/show_bug.cgi?id=231935

Summary DFGSSALoweringPhase.cpp can create a GetTypedArrayLengthAsInt52 with the wron...

Robin Morisset

Reported 2021-10-18 20:00:15 PDT

GetTypedArrayLengthAsInt52 is marked in DFGNodeTypes.h as NodeResultJS. This is a complete lie: it actually returns an Int52. The reason for this lie is that FixupPhase is the part responsible for making its users expect and Int52, and the ByteCodeParser can emit GetTypedArrayLengthAsInt52 before it runs, leading to validation failures. It works because FixupPhase takes care to properly set the return type of every GetTypedArrayLengthAsInt52 it sees.. but DFGSSALoweringPhase.cpp runs after Fixup and can insert a GetTypedArrayLengthAsInt52, and so it must also take care to properly set its return type.

Attachments
Patch (1.95 KB, patch) 2021-10-18 20:03 PDT, Robin Morisset	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Robin Morisset

Comment 1 2021-10-18 20:03:21 PDT

Created attachment 441680 [details] Patch I have not managed to find a test case for this yet.

Robin Morisset

Comment 2 2021-10-21 12:04:38 PDT

*** This bug has been marked as a duplicate of bug 232059 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 232059

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Robin Morisset

Reported

2021-10-18 20:00 PDT

Modified

2021-10-21 12:04 PDT History

CC List

6 users Show

URL

Keywords

Depends on

229353

Blocks

Dependencies

tree graph