kirkstone: subtree updateskirkstone

meta-raspberrypi: 2a06e4e84b..43683cb14b:
  Florin Sarbu (1):
        udev-rules-rpi: Use 99-com.rules directly from upstream

meta-openembedded: df452d9d98..f95484417e:
  Arsalan H. Awan (1):
        meta-networking/licenses/netperf: remove unused license

  Bhargav Das (2):
        tslib: Add native & nativestdk package support
        pointercal: Add native & nativestdk package support

  Changqing Li (1):
        redis: fix do_patch fuzz warning

  Chee Yang Lee (3):
        tinyproxy: fix CVE-2022-40468
        capnproto: upgrade to 0.9.2
        freerdp: fix CVE-2022-39316/39318/39319

  Gianluigi Spagnuolo (1):
        libbpf: add native and nativesdk BBCLASSEXTEND

  Jasper Orschulko (1):
        python3-gcovr: Add missing runtime dependency

  Jonas Gorski (3):
        frr: Security fix CVE-2022-36440 / CVE-2022-40302
        frr: Security fix CVE-2022-40318
        frr: Security fix CVE-2022-43681

  Khem Raj (1):
        nodejs: Fix build with gcc13

  Martin Jansa (1):
        abseil-cpp: backport a fix for build with gcc-13

  Narpat Mali (3):
        python3-werkzeug: fix for CVE-2023-25577
        python3-django: upgrade 4.0.2 -> 4.2.1
        python3-m2crypto: fix for CVE-2020-25657

  Natasha Bailey (1):
        libyang: backport a fix for CVE-2023-26916

  Valeria Petrov (1):
        apache2: upgrade 2.4.56 -> 2.4.57

  Xiangyu Chen (3):
        pahole: fix native package build error
        Revert "pahole: fix native package build error"
        libbpf: installing uapi headers for native package

poky: 4cc0e9438b..43b94d2b84:
  Alexander Kanavin (1):
        dhcpcd: use git instead of tarballs

  Archana Polampalli (4):
        nasm: fix CVE-2022-44370
        git: fix CVE-2023-29007
        git: fix CVE-2023-25652
        git: ignore CVE-2023-25815

  Arturo Buzarra (1):
        run-postinsts: Set dependency for ldconfig to avoid boot issues

  Bhabu Bindu (4):
        curl: Fix CVE-2023-28319
        curl: Fix CVE-2023-28320
        curl: Fix CVE-2023-28321
        curl: Fix CVE-2023-28322

  Bruce Ashfield (9):
        linux-yocto/5.15: update to v5.15.106
        linux-yocto/5.15: update to v5.15.107
        linux-yocto/5.15: update to v5.15.108
        kernel: improve initramfs bundle processing time
        linux-yocto/5.10: update to v5.10.176
        linux-yocto/5.10: update to v5.10.177
        linux-yocto/5.10: update to v5.10.178
        linux-yocto/5.10: update to v5.10.179
        linux-yocto/5.10: update to v5.10.180

  C. Andy Martin (1):
        systemd-networkd: backport fix for rm unmanaged wifi

  Christoph Lauer (1):
        populate_sdk_base: add zip options

  Daniel Ammann (1):
        overview-manual: concepts.rst: Fix a typo

  Deepthi Hemraj (5):
        glibc: stable 2.35 branch updates.
        binutils : Fix CVE-2023-25584
        binutils : Fix CVE-2023-25585
        binutils : Fix CVE-2023-1972
        binutils : Fix CVE-2023-25588

  Dmitry Baryshkov (1):
        linux-firmware: upgrade 20230210 -> 20230404

  Eero Aaltonen (1):
        avahi: fix D-Bus introspection

  Enrico Jörns (1):
        package_manager/ipk: fix config path generation in _create_custom_config()

  Hitendra Prajapati (2):
        connman: fix CVE-2023-28488 DoS in client.c
        sysstat: Fix CVE-2023-33204

  Jan Luebbe (1):
        p11-kit: add native to BBCLASSEXTEND

  Joe Slater (1):
        ghostscript: fix CVE-2023-29979

  Kai Kang (1):
        webkitgtk: fix CVE-2022-32888 & CVE-2022-32923

  Khem Raj (2):
        gcc-runtime: Use static dummy libstdc++
        quilt: Fix merge.test race condition

  Lee Chee Yang (1):
        migration-guides: add release notes for 4.0.10

  Marek Vasut (1):
        cpio: Fix wrong CRC with ASCII CRC for large files

  Martin Jansa (3):
        populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override
        llvm: backport a fix for build with gcc-13
        kernel-devicetree: make shell scripts posix compliant

  Martin Siegumfeldt (1):
        systemd-systemctl: fix instance template WantedBy symlink construction

  Michael Halstead (2):
        uninative: Upgrade to 3.10 to support gcc 13
        uninative: Upgrade to 4.0 to include latest gcc 13.1.1

  Michael Opdenacker (2):
        conf.py: add macro for Mitre CVE links
        migration-guides: use new cve_mitre macro

  Ming Liu (1):
        weston: add xwayland to DEPENDS for PACKAGECONFIG xwayland

  Mingli Yu (1):
        ruby: Fix CVE-2023-28755

  Narpat Mali (3):
        ffmpeg: fix for CVE-2022-48434
        python3-cryptography: fix for CVE-2023-23931
        python3-requests: fix for CVE-2023-32681

  Omkar Patil (1):
        curl: Correction for CVE-2023-27536

  Pablo Saavedra (1):
        gstreamer1.0: upgrade 1.20.5 -> 1.20.6

  Pascal Bach (1):
        cmake: add CMAKE_SYSROOT to generated toolchain file

  Peter Bergin (1):
        update-alternatives.bbclass: fix old override syntax

  Peter Kjellerstedt (1):
        license.bbclass: Include LICENSE in the output when it fails to parse

  Peter Marko (2):
        libxml2: patch CVE-2023-28484 and CVE-2023-29469
        openssl: Upgrade 3.0.8 -> 3.0.9

  Piotr Łobacz (1):
        libarchive: Enable acls, xattr for native as well as target

  Quentin Schulz (1):
        Revert "docs: conf.py: fix cve extlinks caption for sphinx <4.0"

  Randolph Sapp (4):
        wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
        kernel-devicetree: allow specification of dtb directory
        package: enable recursion on file globs
        kernel-devicetree: recursively search for dtbs

  Ranjitsinh Rathod (1):
        libbsd: Add correct license for all packages

  Richard Purdie (3):
        maintainers.inc: Fix email address typo
        maintainers.inc: Move repo to unassigned
        selftest/reproducible: Allow native/cross reuse in test

  Riyaz Khan (1):
        openssh: Remove BSD-4-clause contents completely from codebase

  Ross Burton (1):
        xserver-xorg: backport fix for CVE-2023-1393

  Sakib Sajal (1):
        go: fix CVE-2023-24540

  Shubham Kulkarni (1):
        go: Security fix for CVE-2023-24538

  Soumya (1):
        perl: fix CVE-2023-31484

  Steve Sakoman (3):
        Revert "xserver-xorg: backport fix for CVE-2023-1393"
        poky.conf: bump version for 4.0.10
        build-appliance-image: Update to kirkstone head revision

  Thomas Roos (1):
        oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set

  Tom Hochstein (2):
        piglit: Add PACKAGECONFIG for glx and opencl
        piglit: Add missing glslang dependencies

  Upgrade Helper (1):
        waffle: upgrade 1.7.0 -> 1.7.2

  Virendra Thakur (1):
        qemu: Whitelist CVE-2023-0664

  Vivek Kumbhar (3):
        freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
        go: fix CVE-2023-24534 denial of service from excessive memory allocation
        go: fix CVE-2023-24539 html/template improper sanitization of CSS values

  Wang Mingyu (2):
        wpebackend-fdo: upgrade 1.14.0 -> 1.14.2
        xserver-xorg: upgrade 21.1.7 -> 21.1.8

  Yoann Congal (1):
        linux-yocto: Exclude 121 CVEs already fixed upstream

  Yogita Urade (2):
        xorg-lib-common: Add variable to set tarball type
        libxpm: upgrade 3.5.13 -> 3.5.15

  Zhixiong Chi (1):
        libpam: Fix the xtests/tst-pam_motd[1|3] failures

  Zoltan Boszormenyi (1):
        piglit: Fix build time dependency

  bkylerussell@gmail.com (1):
        kernel-devsrc: depend on python3-core instead of python3

  leimaohui (1):
        nghttp2: Deleted the entries for -client and -server, and removed a dependency on them from the main package.

meta-security: cc20e2af2a..d398cc6ea6:
  Armin Kuster (1):
        apparmor: fix ownership issues

  Josh Harley (1):
        Add EROFS support to dm-verity-img class

  Maciej Borzęcki (1):
        dm-verity-img.bbclass: add squashfs images

  Peter Marko (1):
        tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I683201033cfd1b1135738f49b0faf6df2e6348b6

1 files changed, 435 insertions, 0 deletions

diff --git a/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
new file mode 100644
index 0000000000..60342a14f8
--- /dev/null
+++ b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
@@ -0,0 +1,435 @@
+CVE: CVE-2022-32923
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ef76e31]
+
+[1]: https://support.apple.com/en-us/HT213495
+[2]: https://bugs.webkit.org/show_bug.cgi?id=242964
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From ef76e31a2a066c3d65a9c94a9e2cd88133260c1f Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Wed, 20 Jul 2022 19:30:48 -0700
+Subject: [PATCH] [JSC] BakcwardPropagationPhase should carry NaN / Infinity
+ handling https://bugs.webkit.org/show_bug.cgi?id=242964 rdar://96791603
+
+Reviewed by Mark Lam.
+
+For correctness, we should carry NaN / Infinity handling to make it more clear in the code generation site.
+
+* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
+(JSC::DFG::BackwardsPropagationPhase::propagate):
+* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
+(JSC::DFG::FixupPhase::fixupArithDivInt32):
+(JSC::DFG::FixupPhase::fixupArithDiv):
+* Source/JavaScriptCore/dfg/DFGGraph.h:
+* Source/JavaScriptCore/dfg/DFGNode.h:
+* Source/JavaScriptCore/dfg/DFGNodeFlags.cpp:
+(JSC::DFG::dumpNodeFlags):
+* Source/JavaScriptCore/dfg/DFGNodeFlags.h:
+(JSC::DFG::bytecodeCanIgnoreNaNAndInfinity):
+(JSC::DFG::nodeCanSpeculateInt32ForDiv):
+* Source/JavaScriptCore/dfg/DFGNodeType.h:
+
+Canonical link: https://commits.webkit.org/252675@main
+---
+ .../dfg/DFGBackwardsPropagationPhase.cpp      | 51 +++++++++++--------
+ Source/JavaScriptCore/dfg/DFGFixupPhase.cpp   |  6 ++-
+ Source/JavaScriptCore/dfg/DFGGraph.h          | 11 ++++
+ Source/JavaScriptCore/dfg/DFGNode.h           | 12 +++--
+ Source/JavaScriptCore/dfg/DFGNodeFlags.cpp    | 10 ++--
+ Source/JavaScriptCore/dfg/DFGNodeFlags.h      | 37 +++++++++++---
+ Source/JavaScriptCore/dfg/DFGNodeType.h       |  3 +-
+ 7 files changed, 91 insertions(+), 39 deletions(-)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
+index 306ea5d6b974..83a08aff7c20 100644
+--- a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
++++ b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
+@@ -272,7 +272,7 @@ private:
+         case ValueBitNot:
+         case ArithBitNot: {
+             flags |= NodeBytecodeUsesAsInt;
+-            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther);
++            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther);
+             flags &= ~NodeBytecodeUsesAsArrayIndex;
+             node->child1()->mergeFlags(flags);
+             break;
+@@ -291,7 +291,7 @@ private:
+         case BitURShift:
+         case ArithIMul: {
+             flags |= NodeBytecodeUsesAsInt;
+-            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther);
++            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther);
+             flags &= ~NodeBytecodeUsesAsArrayIndex;
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -308,9 +308,9 @@ private:
+ 
+         case StringSlice: {
+             node->child1()->mergeFlags(NodeBytecodeUsesAsValue);
+-            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+             if (node->child3())
+-                node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++                node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+             break;
+         }
+ 
+@@ -320,11 +320,11 @@ private:
+             if (node->numChildren() == 2)
+                 m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsValue);
+             else if (node->numChildren() == 3) {
+-                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+                 m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue);
+             } else if (node->numChildren() == 4) {
+-                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
+-                m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
++                m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+                 m_graph.varArgChild(node, 3)->mergeFlags(NodeBytecodeUsesAsValue);
+             }
+             break;
+@@ -345,6 +345,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+             
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -359,6 +360,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+             
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -366,7 +368,7 @@ private:
+         }
+ 
+         case ArithClz32: {
+-            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex);
++            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex);
+             flags |= NodeBytecodeUsesAsInt;
+             node->child1()->mergeFlags(flags);
+             break;
+@@ -380,6 +382,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+             
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -387,6 +390,7 @@ private:
+         }
+             
+         case ArithNegate: {
++            // negation does not care about NaN, Infinity, -Infinity are converted into 0 if the result is evaluated under the integer context.
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -401,6 +405,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+ 
+             node->child1()->mergeFlags(flags);
+             break;
+@@ -421,7 +426,7 @@ private:
+             
+             node->mergeFlags(flags);
+             
+-            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero;
++            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -431,7 +436,13 @@ private:
+             
+         case ValueDiv:
+         case ArithDiv: {
+-            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero;
++            // ArithDiv / ValueDiv need to have NodeBytecodeUsesAsNumber even if it is used in the context of integer.
++            // For example,
++            //     ((@x / @y) + @z) | 0
++            // In this context, (@x / @y) can have integer context at first, but the result can be different if div
++            // generates NaN. Div and Mod are operations that can produce NaN / Infinity though only taking binary Int32 operands.
++            // Thus, we always need to check for overflow since it can affect downstream calculations.
++            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -441,7 +452,7 @@ private:
+             
+         case ValueMod:
+         case ArithMod: {
+-            flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -452,7 +463,7 @@ private:
+         case EnumeratorGetByVal:
+         case GetByVal: {
+             m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue);
+-            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex);
+             break;
+         }
+             
+@@ -461,13 +472,13 @@ private:
+             // Negative zero is not observable. NaN versus undefined are only observable
+             // in that you would get a different exception message. So, like, whatever: we
+             // claim here that NaN v. undefined is observable.
+-            node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsArrayIndex);
++            node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex);
+             break;
+         }
+             
+         case ToString:
+         case CallStringConstructor: {
+-            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+             break;
+         }
+             
+@@ -487,15 +498,15 @@ private:
+         case CompareBelowEq:
+         case CompareEq:
+         case CompareStrictEq: {
+-            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
+-            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
++            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+             break;
+         }
+ 
+         case PutByValDirect:
+         case PutByVal: {
+             m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue);
+-            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+             m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue);
+             break;
+         }
+@@ -508,20 +519,20 @@ private:
+                 // then -0 and 0 are treated the same.  We don't need NodeBytecodeUsesAsOther
+                 // because if all of the cases are integers then NaN and undefined are
+                 // treated the same (i.e. they will take default).
+-                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt);
++                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity);
+                 break;
+             case SwitchChar: {
+                 // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings
+                 // then -0 and 0 are treated the same.  We don't need NodeBytecodeUsesAsOther
+                 // because if all of the cases are single-character strings then NaN
+                 // and undefined are treated the same (i.e. they will take default).
+-                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber);
++                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNaNOrInfinity);
+                 break;
+             }
+             case SwitchString:
+                 // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings
+                 // then -0 and 0 are treated the same.
+-                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+                 break;
+             case SwitchCell:
+                 // There is currently no point to being clever here since this is used for switching
+diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+index e8bee58ada15..b679539de2e6 100644
+--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
++++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+@@ -81,7 +81,9 @@ private:
+         if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
+             fixIntOrBooleanEdge(leftChild);
+             fixIntOrBooleanEdge(rightChild);
+-            if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
++            // We need to be careful about skipping overflow check because div / mod can generate non integer values
++            // from (Int32, Int32) inputs. For now, we always check non-zero divisor.
++            if (bytecodeCanTruncateInteger(node->arithNodeFlags()) && bytecodeCanIgnoreNaNAndInfinity(node->arithNodeFlags()) && bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+                 node->setArithMode(Arith::Unchecked);
+             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+                 node->setArithMode(Arith::CheckOverflow);
+@@ -122,7 +124,7 @@ private:
+ 
+     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
+     {
+-        if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
++        if (m_graph.divShouldSpeculateInt32(node, FixupPass)) {
+             fixupArithDivInt32(node, leftChild, rightChild);
+             return;
+         }
+diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
+index ca566d3a484e..284c87672849 100644
+--- a/Source/JavaScriptCore/dfg/DFGGraph.h
++++ b/Source/JavaScriptCore/dfg/DFGGraph.h
+@@ -373,6 +373,17 @@ public:
+ 
+         return shouldSpeculateInt52ForAdd(left) && shouldSpeculateInt52ForAdd(right);
+     }
++
++    bool divShouldSpeculateInt32(Node* node, PredictionPass pass)
++    {
++        // Even if inputs are Int32, div can generate NaN or Infinity.
++        // Thus, Overflow in div can be caused by these non integer values as well as actual Int32 overflow.
++        Node* left = node->child1().node();
++        Node* right = node->child2().node();
++
++        return Node::shouldSpeculateInt32OrBooleanForArithmetic(left, right)
++            && nodeCanSpeculateInt32ForDiv(node->arithNodeFlags(), node->sourceFor(pass));
++    }
+     
+     bool binaryArithShouldSpeculateInt32(Node* node, PredictionPass pass)
+     {
+diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
+index f9ff50658e93..04509a3846ca 100644
+--- a/Source/JavaScriptCore/dfg/DFGNode.h
++++ b/Source/JavaScriptCore/dfg/DFGNode.h
+@@ -3308,21 +3308,25 @@ public:
+         out.printf(", @%u", child3()->index());
+     }
+ 
+-    NodeOrigin origin;
++    NO_UNIQUE_ADDRESS NodeOrigin origin;
+ 
++private:
++    NO_UNIQUE_ADDRESS NodeType m_op;
++
++    NO_UNIQUE_ADDRESS unsigned m_index { std::numeric_limits<unsigned>::max() };
++
++public:
+     // References to up to 3 children, or links to a variable length set of children.
+     AdjacencyList children;
+ 
+ private:
+     friend class B3::SparseCollection<Node>;
+ 
+-    unsigned m_index { std::numeric_limits<unsigned>::max() };
+-    unsigned m_op : 10; // real type is NodeType
+-    unsigned m_flags : 21;
+     // The virtual register number (spill location) associated with this .
+     VirtualRegister m_virtualRegister;
+     // The number of uses of the result of this operation (+1 for 'must generate' nodes, which have side-effects).
+     unsigned m_refCount;
++    NodeFlags m_flags;
+     // The prediction ascribed to this node after propagation.
+     SpeculatedType m_prediction { SpecNone };
+     // Immediate values, accesses type-checked via accessors above.
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
+index 88242947f6ef..0c53cd976c5c 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
+@@ -74,12 +74,14 @@ void dumpNodeFlags(PrintStream& actualOut, NodeFlags flags)
+         out.print(comma, "VarArgs");
+     
+     if (flags & NodeResultMask) {
+-        if (!(flags & NodeBytecodeUsesAsNumber) && !(flags & NodeBytecodeNeedsNegZero))
++        if (!(flags & NodeBytecodeUsesAsNumber))
+             out.print(comma, "PureInt");
+-        else if (!(flags & NodeBytecodeUsesAsNumber))
+-            out.print(comma, "PureInt(w/ neg zero)");
+-        else if (!(flags & NodeBytecodeNeedsNegZero))
++        else
+             out.print(comma, "PureNum");
++        if (flags & NodeBytecodeNeedsNegZero)
++            out.print(comma, "NeedsNegZero");
++        if (flags & NodeBytecodeNeedsNaNOrInfinity)
++            out.print(comma, "NeedsNaNOrInfinity");
+         if (flags & NodeBytecodeUsesAsOther)
+             out.print(comma, "UseAsOther");
+     }
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.h b/Source/JavaScriptCore/dfg/DFGNodeFlags.h
+index 2ebe3544f601..aa60db7e6ba0 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.h
++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.h
+@@ -61,18 +61,19 @@ namespace JSC { namespace DFG {
+ #define NodeBytecodeUseBottom            0x00000
+ #define NodeBytecodeUsesAsNumber         0x04000 // The result of this computation may be used in a context that observes fractional, or bigger-than-int32, results.
+ #define NodeBytecodeNeedsNegZero         0x08000 // The result of this computation may be used in a context that observes -0.
+-#define NodeBytecodeUsesAsOther          0x10000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
+-#define NodeBytecodeUsesAsInt            0x20000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
+-#define NodeBytecodeUsesAsArrayIndex     0x40000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
+-#define NodeBytecodeUsesAsValue          (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther)
+-#define NodeBytecodeBackPropMask         (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex)
++#define NodeBytecodeNeedsNaNOrInfinity   0x10000 // The result of this computation may be used in a context that observes NaN or Infinity.
++#define NodeBytecodeUsesAsOther          0x20000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
++#define NodeBytecodeUsesAsInt            0x40000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
++#define NodeBytecodeUsesAsArrayIndex     0x80000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
++#define NodeBytecodeUsesAsValue          (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther)
++#define NodeBytecodeBackPropMask         (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex)
+ 
+ #define NodeArithFlagsMask               (NodeBehaviorMask | NodeBytecodeBackPropMask)
+ 
+-#define NodeIsFlushed                    0x80000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
++#define NodeIsFlushed                   0x100000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
+ 
+-#define NodeMiscFlag1                   0x100000
+-#define NodeMiscFlag2                   0x200000
++#define NodeMiscFlag1                   0x200000
++#define NodeMiscFlag2                   0x400000
+ 
+ typedef uint32_t NodeFlags;
+ 
+@@ -91,6 +92,11 @@ static inline bool bytecodeCanIgnoreNegativeZero(NodeFlags flags)
+     return !(flags & NodeBytecodeNeedsNegZero);
+ }
+ 
++static inline bool bytecodeCanIgnoreNaNAndInfinity(NodeFlags flags)
++{
++    return !(flags & NodeBytecodeNeedsNaNOrInfinity);
++}
++
+ enum RareCaseProfilingSource {
+     BaselineRareCase, // Comes from slow case counting in the baseline JIT.
+     DFGRareCase, // Comes from OSR exit profiles.
+@@ -147,6 +153,21 @@ static inline bool nodeCanSpeculateInt32(NodeFlags flags, RareCaseProfilingSourc
+     return true;
+ }
+ 
++static inline bool nodeCanSpeculateInt32ForDiv(NodeFlags flags, RareCaseProfilingSource source)
++{
++    if (nodeMayOverflowInt32(flags, source)) {
++        if (bytecodeUsesAsNumber(flags))
++            return false;
++        if (!bytecodeCanIgnoreNaNAndInfinity(flags))
++            return false;
++    }
++
++    if (nodeMayNegZero(flags, source))
++        return bytecodeCanIgnoreNegativeZero(flags);
++
++    return true;
++}
++
+ static inline bool nodeCanSpeculateInt52(NodeFlags flags, RareCaseProfilingSource source)
+ {
+     if (nodeMayOverflowInt52(flags, source))
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
+index 8f885b570665..aad4d559ccf7 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
++++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
+@@ -567,7 +567,7 @@ namespace JSC { namespace DFG {
+ 
+ // This enum generates a monotonically increasing id for all Node types,
+ // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask).
+-enum NodeType {
++enum NodeType : uint16_t {
+ #define DFG_OP_ENUM(opcode, flags) opcode,
+     FOR_EACH_DFG_OP(DFG_OP_ENUM)
+ #undef DFG_OP_ENUM
+@@ -577,6 +577,7 @@ enum NodeType {
+ #define DFG_OP_COUNT(opcode, flags) + 1
+ constexpr unsigned numberOfNodeTypes = FOR_EACH_DFG_OP(DFG_OP_COUNT);
+ #undef DFG_OP_COUNT
++static_assert(numberOfNodeTypes <= UINT16_MAX);
+ 
+ // Specifies the default flags for each node.
+ inline NodeFlags defaultFlags(NodeType op)
+-- 
+2.34.1
+