Bug 231935 - DFGSSALoweringPhase.cpp can create a GetTypedArrayLengthAsInt52 with the wrong return type
Summary: DFGSSALoweringPhase.cpp can create a GetTypedArrayLengthAsInt52 with the wron...
Status: RESOLVED DUPLICATE of bug 232059
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Robin Morisset
URL:
Keywords:
Depends on: 229353
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-18 20:00 PDT by Robin Morisset
Modified: 2021-10-21 12:04 PDT (History)
6 users (show)

See Also:

Attachments
Patch (1.95 KB, patch)
2021-10-18 20:03 PDT, Robin Morisset 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robin Morisset 2021-10-18 20:00:15 PDT 
GetTypedArrayLengthAsInt52 is marked in DFGNodeTypes.h as NodeResultJS.
This is a complete lie: it actually returns an Int52.
The reason for this lie is that FixupPhase is the part responsible for making its users expect and Int52, and the ByteCodeParser can emit GetTypedArrayLengthAsInt52 before it runs, leading to validation failures.
It works because FixupPhase takes care to properly set the return type of every GetTypedArrayLengthAsInt52 it sees.. but DFGSSALoweringPhase.cpp runs after Fixup and can insert a GetTypedArrayLengthAsInt52, and so it must also take care to properly set its return type.
Comment 1 Robin Morisset 2021-10-18 20:03:21 PDT 
Created attachment 441680 [details]
Patch

I have not managed to find a test case for this yet.
Comment 2 Robin Morisset 2021-10-21 12:04:38 PDT 

*** This bug has been marked as a duplicate of bug 232059 ***