diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-06-15 13:43:17 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-06-15 19:22:24 +0300 |
commit | 91c4060797737f563a7b975d726f2efcb088e45f (patch) | |
tree | 0b2a543533ec0cf03a47e67056a95b0073b51524 /poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch | |
parent | 821a859c1d68e8cfeea8c50e86f15daa87e71d59 (diff) | |
download | openbmc-91c4060797737f563a7b975d726f2efcb088e45f.tar.xz |
kirkstone: subtree updateskirkstone
meta-raspberrypi: 2a06e4e84b..43683cb14b:
Florin Sarbu (1):
udev-rules-rpi: Use 99-com.rules directly from upstream
meta-openembedded: df452d9d98..f95484417e:
Arsalan H. Awan (1):
meta-networking/licenses/netperf: remove unused license
Bhargav Das (2):
tslib: Add native & nativestdk package support
pointercal: Add native & nativestdk package support
Changqing Li (1):
redis: fix do_patch fuzz warning
Chee Yang Lee (3):
tinyproxy: fix CVE-2022-40468
capnproto: upgrade to 0.9.2
freerdp: fix CVE-2022-39316/39318/39319
Gianluigi Spagnuolo (1):
libbpf: add native and nativesdk BBCLASSEXTEND
Jasper Orschulko (1):
python3-gcovr: Add missing runtime dependency
Jonas Gorski (3):
frr: Security fix CVE-2022-36440 / CVE-2022-40302
frr: Security fix CVE-2022-40318
frr: Security fix CVE-2022-43681
Khem Raj (1):
nodejs: Fix build with gcc13
Martin Jansa (1):
abseil-cpp: backport a fix for build with gcc-13
Narpat Mali (3):
python3-werkzeug: fix for CVE-2023-25577
python3-django: upgrade 4.0.2 -> 4.2.1
python3-m2crypto: fix for CVE-2020-25657
Natasha Bailey (1):
libyang: backport a fix for CVE-2023-26916
Valeria Petrov (1):
apache2: upgrade 2.4.56 -> 2.4.57
Xiangyu Chen (3):
pahole: fix native package build error
Revert "pahole: fix native package build error"
libbpf: installing uapi headers for native package
poky: 4cc0e9438b..43b94d2b84:
Alexander Kanavin (1):
dhcpcd: use git instead of tarballs
Archana Polampalli (4):
nasm: fix CVE-2022-44370
git: fix CVE-2023-29007
git: fix CVE-2023-25652
git: ignore CVE-2023-25815
Arturo Buzarra (1):
run-postinsts: Set dependency for ldconfig to avoid boot issues
Bhabu Bindu (4):
curl: Fix CVE-2023-28319
curl: Fix CVE-2023-28320
curl: Fix CVE-2023-28321
curl: Fix CVE-2023-28322
Bruce Ashfield (9):
linux-yocto/5.15: update to v5.15.106
linux-yocto/5.15: update to v5.15.107
linux-yocto/5.15: update to v5.15.108
kernel: improve initramfs bundle processing time
linux-yocto/5.10: update to v5.10.176
linux-yocto/5.10: update to v5.10.177
linux-yocto/5.10: update to v5.10.178
linux-yocto/5.10: update to v5.10.179
linux-yocto/5.10: update to v5.10.180
C. Andy Martin (1):
systemd-networkd: backport fix for rm unmanaged wifi
Christoph Lauer (1):
populate_sdk_base: add zip options
Daniel Ammann (1):
overview-manual: concepts.rst: Fix a typo
Deepthi Hemraj (5):
glibc: stable 2.35 branch updates.
binutils : Fix CVE-2023-25584
binutils : Fix CVE-2023-25585
binutils : Fix CVE-2023-1972
binutils : Fix CVE-2023-25588
Dmitry Baryshkov (1):
linux-firmware: upgrade 20230210 -> 20230404
Eero Aaltonen (1):
avahi: fix D-Bus introspection
Enrico Jörns (1):
package_manager/ipk: fix config path generation in _create_custom_config()
Hitendra Prajapati (2):
connman: fix CVE-2023-28488 DoS in client.c
sysstat: Fix CVE-2023-33204
Jan Luebbe (1):
p11-kit: add native to BBCLASSEXTEND
Joe Slater (1):
ghostscript: fix CVE-2023-29979
Kai Kang (1):
webkitgtk: fix CVE-2022-32888 & CVE-2022-32923
Khem Raj (2):
gcc-runtime: Use static dummy libstdc++
quilt: Fix merge.test race condition
Lee Chee Yang (1):
migration-guides: add release notes for 4.0.10
Marek Vasut (1):
cpio: Fix wrong CRC with ASCII CRC for large files
Martin Jansa (3):
populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override
llvm: backport a fix for build with gcc-13
kernel-devicetree: make shell scripts posix compliant
Martin Siegumfeldt (1):
systemd-systemctl: fix instance template WantedBy symlink construction
Michael Halstead (2):
uninative: Upgrade to 3.10 to support gcc 13
uninative: Upgrade to 4.0 to include latest gcc 13.1.1
Michael Opdenacker (2):
conf.py: add macro for Mitre CVE links
migration-guides: use new cve_mitre macro
Ming Liu (1):
weston: add xwayland to DEPENDS for PACKAGECONFIG xwayland
Mingli Yu (1):
ruby: Fix CVE-2023-28755
Narpat Mali (3):
ffmpeg: fix for CVE-2022-48434
python3-cryptography: fix for CVE-2023-23931
python3-requests: fix for CVE-2023-32681
Omkar Patil (1):
curl: Correction for CVE-2023-27536
Pablo Saavedra (1):
gstreamer1.0: upgrade 1.20.5 -> 1.20.6
Pascal Bach (1):
cmake: add CMAKE_SYSROOT to generated toolchain file
Peter Bergin (1):
update-alternatives.bbclass: fix old override syntax
Peter Kjellerstedt (1):
license.bbclass: Include LICENSE in the output when it fails to parse
Peter Marko (2):
libxml2: patch CVE-2023-28484 and CVE-2023-29469
openssl: Upgrade 3.0.8 -> 3.0.9
Piotr Łobacz (1):
libarchive: Enable acls, xattr for native as well as target
Quentin Schulz (1):
Revert "docs: conf.py: fix cve extlinks caption for sphinx <4.0"
Randolph Sapp (4):
wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
kernel-devicetree: allow specification of dtb directory
package: enable recursion on file globs
kernel-devicetree: recursively search for dtbs
Ranjitsinh Rathod (1):
libbsd: Add correct license for all packages
Richard Purdie (3):
maintainers.inc: Fix email address typo
maintainers.inc: Move repo to unassigned
selftest/reproducible: Allow native/cross reuse in test
Riyaz Khan (1):
openssh: Remove BSD-4-clause contents completely from codebase
Ross Burton (1):
xserver-xorg: backport fix for CVE-2023-1393
Sakib Sajal (1):
go: fix CVE-2023-24540
Shubham Kulkarni (1):
go: Security fix for CVE-2023-24538
Soumya (1):
perl: fix CVE-2023-31484
Steve Sakoman (3):
Revert "xserver-xorg: backport fix for CVE-2023-1393"
poky.conf: bump version for 4.0.10
build-appliance-image: Update to kirkstone head revision
Thomas Roos (1):
oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set
Tom Hochstein (2):
piglit: Add PACKAGECONFIG for glx and opencl
piglit: Add missing glslang dependencies
Upgrade Helper (1):
waffle: upgrade 1.7.0 -> 1.7.2
Virendra Thakur (1):
qemu: Whitelist CVE-2023-0664
Vivek Kumbhar (3):
freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
go: fix CVE-2023-24534 denial of service from excessive memory allocation
go: fix CVE-2023-24539 html/template improper sanitization of CSS values
Wang Mingyu (2):
wpebackend-fdo: upgrade 1.14.0 -> 1.14.2
xserver-xorg: upgrade 21.1.7 -> 21.1.8
Yoann Congal (1):
linux-yocto: Exclude 121 CVEs already fixed upstream
Yogita Urade (2):
xorg-lib-common: Add variable to set tarball type
libxpm: upgrade 3.5.13 -> 3.5.15
Zhixiong Chi (1):
libpam: Fix the xtests/tst-pam_motd[1|3] failures
Zoltan Boszormenyi (1):
piglit: Fix build time dependency
bkylerussell@gmail.com (1):
kernel-devsrc: depend on python3-core instead of python3
leimaohui (1):
nghttp2: Deleted the entries for -client and -server, and removed a dependency on them from the main package.
meta-security: cc20e2af2a..d398cc6ea6:
Armin Kuster (1):
apparmor: fix ownership issues
Josh Harley (1):
Add EROFS support to dm-verity-img class
Maciej Borzęcki (1):
dm-verity-img.bbclass: add squashfs images
Peter Marko (1):
tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I683201033cfd1b1135738f49b0faf6df2e6348b6
Diffstat (limited to 'poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch')
-rw-r--r-- | poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch | 435 |
1 files changed, 435 insertions, 0 deletions
diff --git a/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch new file mode 100644 index 0000000000..60342a14f8 --- /dev/null +++ b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch @@ -0,0 +1,435 @@ +CVE: CVE-2022-32923 +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ef76e31] + +[1]: https://support.apple.com/en-us/HT213495 +[2]: https://bugs.webkit.org/show_bug.cgi?id=242964 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From ef76e31a2a066c3d65a9c94a9e2cd88133260c1f Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki <ysuzuki@apple.com> +Date: Wed, 20 Jul 2022 19:30:48 -0700 +Subject: [PATCH] [JSC] BakcwardPropagationPhase should carry NaN / Infinity + handling https://bugs.webkit.org/show_bug.cgi?id=242964 rdar://96791603 + +Reviewed by Mark Lam. + +For correctness, we should carry NaN / Infinity handling to make it more clear in the code generation site. + +* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp: +(JSC::DFG::BackwardsPropagationPhase::propagate): +* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp: +(JSC::DFG::FixupPhase::fixupArithDivInt32): +(JSC::DFG::FixupPhase::fixupArithDiv): +* Source/JavaScriptCore/dfg/DFGGraph.h: +* Source/JavaScriptCore/dfg/DFGNode.h: +* Source/JavaScriptCore/dfg/DFGNodeFlags.cpp: +(JSC::DFG::dumpNodeFlags): +* Source/JavaScriptCore/dfg/DFGNodeFlags.h: +(JSC::DFG::bytecodeCanIgnoreNaNAndInfinity): +(JSC::DFG::nodeCanSpeculateInt32ForDiv): +* Source/JavaScriptCore/dfg/DFGNodeType.h: + +Canonical link: https://commits.webkit.org/252675@main +--- + .../dfg/DFGBackwardsPropagationPhase.cpp | 51 +++++++++++-------- + Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 6 ++- + Source/JavaScriptCore/dfg/DFGGraph.h | 11 ++++ + Source/JavaScriptCore/dfg/DFGNode.h | 12 +++-- + Source/JavaScriptCore/dfg/DFGNodeFlags.cpp | 10 ++-- + Source/JavaScriptCore/dfg/DFGNodeFlags.h | 37 +++++++++++--- + Source/JavaScriptCore/dfg/DFGNodeType.h | 3 +- + 7 files changed, 91 insertions(+), 39 deletions(-) + +diff --git a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp +index 306ea5d6b974..83a08aff7c20 100644 +--- a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp ++++ b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp +@@ -272,7 +272,7 @@ private: + case ValueBitNot: + case ArithBitNot: { + flags |= NodeBytecodeUsesAsInt; +- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther); ++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther); + flags &= ~NodeBytecodeUsesAsArrayIndex; + node->child1()->mergeFlags(flags); + break; +@@ -291,7 +291,7 @@ private: + case BitURShift: + case ArithIMul: { + flags |= NodeBytecodeUsesAsInt; +- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther); ++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther); + flags &= ~NodeBytecodeUsesAsArrayIndex; + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -308,9 +308,9 @@ private: + + case StringSlice: { + node->child1()->mergeFlags(NodeBytecodeUsesAsValue); +- node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + if (node->child3()) +- node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + break; + } + +@@ -320,11 +320,11 @@ private: + if (node->numChildren() == 2) + m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsValue); + else if (node->numChildren() == 3) { +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue); + } else if (node->numChildren() == 4) { +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); +- m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); ++ m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + m_graph.varArgChild(node, 3)->mergeFlags(NodeBytecodeUsesAsValue); + } + break; +@@ -345,6 +345,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -359,6 +360,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -366,7 +368,7 @@ private: + } + + case ArithClz32: { +- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex); ++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex); + flags |= NodeBytecodeUsesAsInt; + node->child1()->mergeFlags(flags); + break; +@@ -380,6 +382,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -387,6 +390,7 @@ private: + } + + case ArithNegate: { ++ // negation does not care about NaN, Infinity, -Infinity are converted into 0 if the result is evaluated under the integer context. + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -401,6 +405,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + break; +@@ -421,7 +426,7 @@ private: + + node->mergeFlags(flags); + +- flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero; ++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity; + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -431,7 +436,13 @@ private: + + case ValueDiv: + case ArithDiv: { +- flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero; ++ // ArithDiv / ValueDiv need to have NodeBytecodeUsesAsNumber even if it is used in the context of integer. ++ // For example, ++ // ((@x / @y) + @z) | 0 ++ // In this context, (@x / @y) can have integer context at first, but the result can be different if div ++ // generates NaN. Div and Mod are operations that can produce NaN / Infinity though only taking binary Int32 operands. ++ // Thus, we always need to check for overflow since it can affect downstream calculations. ++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity; + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -441,7 +452,7 @@ private: + + case ValueMod: + case ArithMod: { +- flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity; + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -452,7 +463,7 @@ private: + case EnumeratorGetByVal: + case GetByVal: { + m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue); +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex); + break; + } + +@@ -461,13 +472,13 @@ private: + // Negative zero is not observable. NaN versus undefined are only observable + // in that you would get a different exception message. So, like, whatever: we + // claim here that NaN v. undefined is observable. +- node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsArrayIndex); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex); + break; + } + + case ToString: + case CallStringConstructor: { +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); + break; + } + +@@ -487,15 +498,15 @@ private: + case CompareBelowEq: + case CompareEq: + case CompareStrictEq: { +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); +- node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); ++ node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); + break; + } + + case PutByValDirect: + case PutByVal: { + m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue); +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue); + break; + } +@@ -508,20 +519,20 @@ private: + // then -0 and 0 are treated the same. We don't need NodeBytecodeUsesAsOther + // because if all of the cases are integers then NaN and undefined are + // treated the same (i.e. they will take default). +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity); + break; + case SwitchChar: { + // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings + // then -0 and 0 are treated the same. We don't need NodeBytecodeUsesAsOther + // because if all of the cases are single-character strings then NaN + // and undefined are treated the same (i.e. they will take default). +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNaNOrInfinity); + break; + } + case SwitchString: + // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings + // then -0 and 0 are treated the same. +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); + break; + case SwitchCell: + // There is currently no point to being clever here since this is used for switching +diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +index e8bee58ada15..b679539de2e6 100644 +--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp ++++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +@@ -81,7 +81,9 @@ private: + if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) { + fixIntOrBooleanEdge(leftChild); + fixIntOrBooleanEdge(rightChild); +- if (bytecodeCanTruncateInteger(node->arithNodeFlags())) ++ // We need to be careful about skipping overflow check because div / mod can generate non integer values ++ // from (Int32, Int32) inputs. For now, we always check non-zero divisor. ++ if (bytecodeCanTruncateInteger(node->arithNodeFlags()) && bytecodeCanIgnoreNaNAndInfinity(node->arithNodeFlags()) && bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) + node->setArithMode(Arith::Unchecked); + else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) + node->setArithMode(Arith::CheckOverflow); +@@ -122,7 +124,7 @@ private: + + void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild) + { +- if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) { ++ if (m_graph.divShouldSpeculateInt32(node, FixupPass)) { + fixupArithDivInt32(node, leftChild, rightChild); + return; + } +diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h +index ca566d3a484e..284c87672849 100644 +--- a/Source/JavaScriptCore/dfg/DFGGraph.h ++++ b/Source/JavaScriptCore/dfg/DFGGraph.h +@@ -373,6 +373,17 @@ public: + + return shouldSpeculateInt52ForAdd(left) && shouldSpeculateInt52ForAdd(right); + } ++ ++ bool divShouldSpeculateInt32(Node* node, PredictionPass pass) ++ { ++ // Even if inputs are Int32, div can generate NaN or Infinity. ++ // Thus, Overflow in div can be caused by these non integer values as well as actual Int32 overflow. ++ Node* left = node->child1().node(); ++ Node* right = node->child2().node(); ++ ++ return Node::shouldSpeculateInt32OrBooleanForArithmetic(left, right) ++ && nodeCanSpeculateInt32ForDiv(node->arithNodeFlags(), node->sourceFor(pass)); ++ } + + bool binaryArithShouldSpeculateInt32(Node* node, PredictionPass pass) + { +diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h +index f9ff50658e93..04509a3846ca 100644 +--- a/Source/JavaScriptCore/dfg/DFGNode.h ++++ b/Source/JavaScriptCore/dfg/DFGNode.h +@@ -3308,21 +3308,25 @@ public: + out.printf(", @%u", child3()->index()); + } + +- NodeOrigin origin; ++ NO_UNIQUE_ADDRESS NodeOrigin origin; + ++private: ++ NO_UNIQUE_ADDRESS NodeType m_op; ++ ++ NO_UNIQUE_ADDRESS unsigned m_index { std::numeric_limits<unsigned>::max() }; ++ ++public: + // References to up to 3 children, or links to a variable length set of children. + AdjacencyList children; + + private: + friend class B3::SparseCollection<Node>; + +- unsigned m_index { std::numeric_limits<unsigned>::max() }; +- unsigned m_op : 10; // real type is NodeType +- unsigned m_flags : 21; + // The virtual register number (spill location) associated with this . + VirtualRegister m_virtualRegister; + // The number of uses of the result of this operation (+1 for 'must generate' nodes, which have side-effects). + unsigned m_refCount; ++ NodeFlags m_flags; + // The prediction ascribed to this node after propagation. + SpeculatedType m_prediction { SpecNone }; + // Immediate values, accesses type-checked via accessors above. +diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp +index 88242947f6ef..0c53cd976c5c 100644 +--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp ++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp +@@ -74,12 +74,14 @@ void dumpNodeFlags(PrintStream& actualOut, NodeFlags flags) + out.print(comma, "VarArgs"); + + if (flags & NodeResultMask) { +- if (!(flags & NodeBytecodeUsesAsNumber) && !(flags & NodeBytecodeNeedsNegZero)) ++ if (!(flags & NodeBytecodeUsesAsNumber)) + out.print(comma, "PureInt"); +- else if (!(flags & NodeBytecodeUsesAsNumber)) +- out.print(comma, "PureInt(w/ neg zero)"); +- else if (!(flags & NodeBytecodeNeedsNegZero)) ++ else + out.print(comma, "PureNum"); ++ if (flags & NodeBytecodeNeedsNegZero) ++ out.print(comma, "NeedsNegZero"); ++ if (flags & NodeBytecodeNeedsNaNOrInfinity) ++ out.print(comma, "NeedsNaNOrInfinity"); + if (flags & NodeBytecodeUsesAsOther) + out.print(comma, "UseAsOther"); + } +diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.h b/Source/JavaScriptCore/dfg/DFGNodeFlags.h +index 2ebe3544f601..aa60db7e6ba0 100644 +--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.h ++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.h +@@ -61,18 +61,19 @@ namespace JSC { namespace DFG { + #define NodeBytecodeUseBottom 0x00000 + #define NodeBytecodeUsesAsNumber 0x04000 // The result of this computation may be used in a context that observes fractional, or bigger-than-int32, results. + #define NodeBytecodeNeedsNegZero 0x08000 // The result of this computation may be used in a context that observes -0. +-#define NodeBytecodeUsesAsOther 0x10000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined). +-#define NodeBytecodeUsesAsInt 0x20000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values. +-#define NodeBytecodeUsesAsArrayIndex 0x40000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible. +-#define NodeBytecodeUsesAsValue (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther) +-#define NodeBytecodeBackPropMask (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex) ++#define NodeBytecodeNeedsNaNOrInfinity 0x10000 // The result of this computation may be used in a context that observes NaN or Infinity. ++#define NodeBytecodeUsesAsOther 0x20000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined). ++#define NodeBytecodeUsesAsInt 0x40000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values. ++#define NodeBytecodeUsesAsArrayIndex 0x80000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible. ++#define NodeBytecodeUsesAsValue (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther) ++#define NodeBytecodeBackPropMask (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex) + + #define NodeArithFlagsMask (NodeBehaviorMask | NodeBytecodeBackPropMask) + +-#define NodeIsFlushed 0x80000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush. ++#define NodeIsFlushed 0x100000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush. + +-#define NodeMiscFlag1 0x100000 +-#define NodeMiscFlag2 0x200000 ++#define NodeMiscFlag1 0x200000 ++#define NodeMiscFlag2 0x400000 + + typedef uint32_t NodeFlags; + +@@ -91,6 +92,11 @@ static inline bool bytecodeCanIgnoreNegativeZero(NodeFlags flags) + return !(flags & NodeBytecodeNeedsNegZero); + } + ++static inline bool bytecodeCanIgnoreNaNAndInfinity(NodeFlags flags) ++{ ++ return !(flags & NodeBytecodeNeedsNaNOrInfinity); ++} ++ + enum RareCaseProfilingSource { + BaselineRareCase, // Comes from slow case counting in the baseline JIT. + DFGRareCase, // Comes from OSR exit profiles. +@@ -147,6 +153,21 @@ static inline bool nodeCanSpeculateInt32(NodeFlags flags, RareCaseProfilingSourc + return true; + } + ++static inline bool nodeCanSpeculateInt32ForDiv(NodeFlags flags, RareCaseProfilingSource source) ++{ ++ if (nodeMayOverflowInt32(flags, source)) { ++ if (bytecodeUsesAsNumber(flags)) ++ return false; ++ if (!bytecodeCanIgnoreNaNAndInfinity(flags)) ++ return false; ++ } ++ ++ if (nodeMayNegZero(flags, source)) ++ return bytecodeCanIgnoreNegativeZero(flags); ++ ++ return true; ++} ++ + static inline bool nodeCanSpeculateInt52(NodeFlags flags, RareCaseProfilingSource source) + { + if (nodeMayOverflowInt52(flags, source)) +diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h +index 8f885b570665..aad4d559ccf7 100644 +--- a/Source/JavaScriptCore/dfg/DFGNodeType.h ++++ b/Source/JavaScriptCore/dfg/DFGNodeType.h +@@ -567,7 +567,7 @@ namespace JSC { namespace DFG { + + // This enum generates a monotonically increasing id for all Node types, + // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask). +-enum NodeType { ++enum NodeType : uint16_t { + #define DFG_OP_ENUM(opcode, flags) opcode, + FOR_EACH_DFG_OP(DFG_OP_ENUM) + #undef DFG_OP_ENUM +@@ -577,6 +577,7 @@ enum NodeType { + #define DFG_OP_COUNT(opcode, flags) + 1 + constexpr unsigned numberOfNodeTypes = FOR_EACH_DFG_OP(DFG_OP_COUNT); + #undef DFG_OP_COUNT ++static_assert(numberOfNodeTypes <= UINT16_MAX); + + // Specifies the default flags for each node. + inline NodeFlags defaultFlags(NodeType op) +-- +2.34.1 + |