[v8-dev] [turbofan] Fix invalid bounds check with overflowing offset. (issue 825403002 by [email protected])

Sun, 28 Dec 2014 11:40:32 -0800 

Reviewers: Michael Achenbach,

Message:
Negative offset (large positive int32 overflow) generates invalid bounds
checking code and thereby invalid access to heap. Just need to make sure that 
the constant offset is in [0,length[.

PTAL

Description:
[turbofan] Fix invalid bounds check with overflowing offset.

TEST=mjsunit/compiler/regress-445267
BUG=chromium:445267
LOG=y

Please review this at https://codereview.chromium.org/825403002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+9, -7 lines):
  M src/compiler/x64/instruction-selector-x64.cc
  A + test/mjsunit/compiler/regress-445267.js


Index: src/compiler/x64/instruction-selector-x64.cc
diff --git a/src/compiler/x64/instruction-selector-x64.cc b/src/compiler/x64/instruction-selector-x64.cc index 2dfd40134382024e3cabc88383af47dcadb29bdc..aba480de42319c58edd4e92c63004108ac5b2b6b 100644 
--- a/src/compiler/x64/instruction-selector-x64.cc
+++ b/src/compiler/x64/instruction-selector-x64.cc
@@ -237,6 +237,7 @@ void InstructionSelector::VisitCheckedLoad(Node* node) {
     Int32Matcher mlength(length);
     Int32BinopMatcher moffset(offset);
     if (mlength.HasValue() && moffset.right().HasValue() &&
+        moffset.right().Value() >= 0 &&
         mlength.Value() >= moffset.right().Value()) {
       Emit(opcode, g.DefineAsRegister(node), g.UseRegister(buffer),
            g.UseRegister(moffset.left().node()),
@@ -285,6 +286,7 @@ void InstructionSelector::VisitCheckedStore(Node* node) { 
     Int32Matcher mlength(length);
     Int32BinopMatcher moffset(offset);
     if (mlength.HasValue() && moffset.right().HasValue() &&
+        moffset.right().Value() >= 0 &&
         mlength.Value() >= moffset.right().Value()) {
       Emit(opcode, nullptr, g.UseRegister(buffer),
            g.UseRegister(moffset.left().node()),
Index: test/mjsunit/compiler/regress-445267.js
diff --git a/test/mjsunit/asm/float32array-store-div.js b/test/mjsunit/compiler/regress-445267.js 
similarity index 50%
copy from test/mjsunit/asm/float32array-store-div.js
copy to test/mjsunit/compiler/regress-445267.js
index 78224f962b7971f2b86a5381e98e2bbd2c63ca13..465168b6e87ae6d49696d9e67c06a7bb982ace57 100644 
--- a/test/mjsunit/asm/float32array-store-div.js
+++ b/test/mjsunit/compiler/regress-445267.js
@@ -2,15 +2,15 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-function Module(stdlib, foreign, heap) {
+var foo = (function Module(stdlib, foreign, heap) {
   "use asm";
-  var MEM32 = new stdlib.Float32Array(heap);
+  var MEM16 = new stdlib.Int16Array(heap);
   function foo(i) {
-    MEM32[0] = (i >>> 0) / 2;
-    return MEM32[0];
+    i = i|0;
+    i = MEM16[i + 2147483650 >> 1]|0;
+    return i;
   }
   return { foo: foo };
-}
+})(this, {}, new ArrayBuffer(64 * 1024)).foo;

-var foo = Module(this, {}, new ArrayBuffer(64 * 1024)).foo;
-assertEquals(0.5, foo(1));
+foo(0);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to