mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
[INFER] Avoid (unreachable) integer overflow when setting holes in dense arrays, bug 642592.
This commit is contained in:
parent
545818365f
commit
55652ce0ff
2
js/src/jit-test/tests/basic/bug642592.js
Normal file
2
js/src/jit-test/tests/basic/bug642592.js
Normal file
@ -0,0 +1,2 @@
|
||||
var strings = new Array();
|
||||
strings[0x7fffffff] = 0;
|
@ -1095,8 +1095,12 @@ IsCacheableSetElem(FrameEntry *obj, FrameEntry *id, FrameEntry *value)
|
||||
return false;
|
||||
if (id->isNotType(JSVAL_TYPE_INT32))
|
||||
return false;
|
||||
if (id->isConstant() && id->getValue().toInt32() < 0)
|
||||
if (id->isConstant()) {
|
||||
if (id->getValue().toInt32() < 0)
|
||||
return false;
|
||||
if (id->getValue().toInt32() + 1 < 0) // watch for overflow in hole paths
|
||||
return false;
|
||||
}
|
||||
|
||||
// obj[obj] * is not allowed, since it will never optimize.
|
||||
// obj[id] = id is allowed.
|
||||
|
Loading…
Reference in New Issue
Block a user