Reviewers: Toon Verwaest,
Message:
Could you take a look?
Description:
Add %LoadMutableDouble index check.
[email protected]
BUG=410262
LOG=N
Please review this at https://codereview.chromium.org/534243002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+20, -7 lines):
M src/field-index.h
M src/field-index-inl.h
M src/runtime.cc
A + test/mjsunit/regress/regress-410262.js
Index: src/field-index-inl.h
diff --git a/src/field-index-inl.h b/src/field-index-inl.h
index
198422feef4b65f21c7f5c14cc867cc306fb1ff9..80e486945b48eecb7944b3be34b04256a167112b
100644
--- a/src/field-index-inl.h
+++ b/src/field-index-inl.h
@@ -69,6 +69,18 @@ inline FieldIndex FieldIndex::ForLoadByFieldIndex(Map*
map, int orig_index) {
}
+inline bool FieldIndex::LoadByFieldIndexValid(int index) {
+ index >>= 1;
+ if (index < 0) {
+ index = -(index + 1);
+ index += FixedArray::kHeaderSize / kPointerSize;
+ } else {
+ index += JSObject::kHeaderSize / kPointerSize;
+ }
+ return IndexBits::is_valid(index);
+}
+
+
// Returns the index format accepted by the HLoadFieldByIndex instruction.
// (In-object: zero-based from (object start + JSObject::kHeaderSize),
// out-of-object: zero-based from FixedArray::kHeaderSize.)
Index: src/field-index.h
diff --git a/src/field-index.h b/src/field-index.h
index
2558529070b8a09a787208dc897486d0d4d69d27..bd6b4e72ded6c04d9710a51c703663e3c35addf2
100644
--- a/src/field-index.h
+++ b/src/field-index.h
@@ -30,6 +30,8 @@ class FieldIndex FINAL {
int GetLoadByFieldIndex() const;
+ static bool LoadByFieldIndexValid(int index);
+
bool is_inobject() const {
return IsInObjectBits::decode(bit_field_);
}
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
e6277060732e9d71feb9d592af657a3dff31e406..be6531b9140dc2a2277a414496c904835075e4e5
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -14641,6 +14641,7 @@ RUNTIME_FUNCTION(Runtime_LoadMutableDouble) {
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
CONVERT_ARG_HANDLE_CHECKED(Smi, index, 1);
RUNTIME_ASSERT((index->value() & 1) == 1);
+ RUNTIME_ASSERT(FieldIndex::LoadByFieldIndexValid(index->value()));
FieldIndex field_index =
FieldIndex::ForLoadByFieldIndex(object->map(), index->value());
if (field_index.is_inobject()) {
Index: test/mjsunit/regress/regress-410262.js
diff --git a/test/mjsunit/regress/regress-355486.js
b/test/mjsunit/regress/regress-410262.js
similarity index 62%
copy from test/mjsunit/regress/regress-355486.js
copy to test/mjsunit/regress/regress-410262.js
index
55362a13416335b72bfa1ff92bc29f7a04edbd65..ebbd94bdab52c91edf5bb9e027c20e81fd485a98
100644
--- a/test/mjsunit/regress/regress-355486.js
+++ b/test/mjsunit/regress/regress-410262.js
@@ -4,10 +4,8 @@
// Flags: --allow-natives-syntax
-function f() { var v = arguments[0]; }
-function g() { f(); }
-
-g();
-g();
-%OptimizeFunctionOnNextCall(g);
-g();
+assertThrows(function() {
+ var arg0 = { with : arg0 };
+ var _index = (8191);
+ %LoadMutableDouble(arg0, _index);
+});
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
