Revision: 24105
Author: [email protected]
Date: Mon Sep 22 07:17:13 2014 UTC
Log: [turbofan] Bounds check when lowering JSStoreProperty.
[email protected]
Review URL: https://codereview.chromium.org/559653005
https://code.google.com/p/v8/source/detail?r=24105
Modified:
/branches/bleeding_edge/src/compiler/js-graph.h
/branches/bleeding_edge/src/compiler/js-typed-lowering.cc
=======================================
--- /branches/bleeding_edge/src/compiler/js-graph.h Fri Sep 12 11:06:37
2014 UTC
+++ /branches/bleeding_edge/src/compiler/js-graph.h Mon Sep 22 07:17:13
2014 UTC
@@ -65,6 +65,9 @@
// Creates a Int32Constant node, usually canonicalized.
Node* Int32Constant(int32_t value);
+ Node* Uint32Constant(uint32_t value) {
+ return Int32Constant(bit_cast<int32_t>(value));
+ }
// Creates a Float64Constant node, usually canonicalized.
Node* Float64Constant(double value);
@@ -109,6 +112,7 @@
Factory* factory() { return isolate()->factory(); }
};
+
} // namespace compiler
} // namespace internal
} // namespace v8
=======================================
--- /branches/bleeding_edge/src/compiler/js-typed-lowering.cc Fri Sep 19
15:02:58 2014 UTC
+++ /branches/bleeding_edge/src/compiler/js-typed-lowering.cc Mon Sep 22
07:17:13 2014 UTC
@@ -571,13 +571,14 @@
// TODO(mstarzinger): This lowering is not correct if:
// a) The typed array turns external (i.e. MaterializeArrayBuffer)
// b) The typed array or it's buffer is neutered.
- // c) The index is out of bounds
if (key_type->Is(Type::Integral32()) && base_type->IsConstant() &&
base_type->AsConstant()->Value()->IsJSTypedArray()) {
// JSStoreProperty(typed-array, int32, value)
JSTypedArray* array =
JSTypedArray::cast(*base_type->AsConstant()->Value());
ElementsKind elements_kind = array->map()->elements_kind();
ExternalArrayType type = array->type();
+ uint32_t length;
+ CHECK(array->length()->ToUint32(&length));
ElementAccess element_access;
Node* elements = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSObjectElements()),
base,
@@ -591,11 +592,24 @@
DCHECK(IsFixedTypedArrayElementsKind(elements_kind));
element_access = AccessBuilder::ForTypedArrayElement(type, false);
}
- Node* store =
- graph()->NewNode(simplified()->StoreElement(element_access),
elements,
- key, value, NodeProperties::GetEffectInput(node),
- NodeProperties::GetControlInput(node));
- return ReplaceEagerly(node, store);
+
+ Node* check = graph()->NewNode(machine()->Uint32LessThan(), key,
+ jsgraph()->Uint32Constant(length));
+ Node* branch = graph()->NewNode(common()->Branch(), check,
+ NodeProperties::GetControlInput(node));
+
+ Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
+ Node* store = graph()->NewNode(
+ simplified()->StoreElement(element_access), elements, key, value,
+ NodeProperties::GetEffectInput(node), if_true);
+
+ Node* if_false = graph()->NewNode(common()->IfFalse(), branch);
+
+ Node* merge = graph()->NewNode(common()->Merge(2), if_true, if_false);
+ Node* phi = graph()->NewNode(common()->EffectPhi(2), store,
+ NodeProperties::GetEffectInput(node),
merge);
+
+ return ReplaceWith(phi);
}
return NoChange();
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
