[v8-dev] [turbofan] Don't crash when typing load from a Uint8ClampedArray. (issue 835883003 by [email protected])

Mon, 05 Jan 2015 04:23:18 -0800 

Reviewers: jarin,

Description:
[turbofan] Don't crash when typing load from a Uint8ClampedArray.

TEST=mjsunit/compiler/regress-446156
BUG=chromium:446156
LOG=y
[email protected]

Please review this at https://codereview.chromium.org/835883003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+24, -26 lines):
  M src/compiler/typer.cc
  A + test/mjsunit/compiler/regress-446156.js


Index: src/compiler/typer.cc
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index a170a71512b4be188be53908868e64c3911325ed..2caeb9b94ba02489b0bc034397f77b0ef4c7ab78 100644 
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -33,10 +33,11 @@ enum LazyCachedType {
   kImulFunc,
   kClz32Func,
   kArrayBufferFunc,
-#define NATIVE_TYPE_CASE(Type) k##Type, k##Type##Array, k##Type##ArrayFunc,
-  NATIVE_TYPES(NATIVE_TYPE_CASE)
-#undef NATIVE_TYPE_CASE
-  kNumLazyCachedTypes
+#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) \
+  k##Type, k##Type##Array, k##Type##ArrayFunc,
+  TYPED_ARRAYS(TYPED_ARRAY_CASE)
+#undef TYPED_ARRAY_CASE
+      kNumLazyCachedTypes
 };


@@ -75,6 +76,8 @@ class LazyTypeCache FINAL : public ZoneObject {
         return CreateNative(Type::Number(), Type::UntaggedFloat32());
       case kFloat64:
         return CreateNative(Type::Number(), Type::UntaggedFloat64());
+      case kUint8Clamped:
+        return Get(kUint8);
       case kNumberFunc0:
         return Type::Function(Type::Number(), zone());
       case kNumberFunc1:
@@ -89,13 +92,13 @@ class LazyTypeCache FINAL : public ZoneObject {
         return Type::Function(CreateRange(0, 32), Type::Number(), zone());
       case kArrayBufferFunc:
return Type::Function(Type::Object(zone()), Type::Unsigned32(), zone()); 
-#define NATIVE_TYPE_CASE(Type)        \
-  case k##Type##Array:                \
-    return CreateArray(Get(k##Type)); \
-  case k##Type##ArrayFunc:            \
+#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) \
+  case k##Type##Array:                                  \
+    return CreateArray(Get(k##Type));                   \
+  case k##Type##ArrayFunc:                              \
     return CreateArrayFunction(Get(k##Type##Array));
-        NATIVE_TYPES(NATIVE_TYPE_CASE)
-#undef NATIVE_TYPE_CASE
+        TYPED_ARRAYS(TYPED_ARRAY_CASE)
+#undef TYPED_ARRAY_CASE
       case kNumLazyCachedTypes:
         break;
     }
@@ -1615,13 +1618,11 @@ Bounds Typer::Visitor::TypeLoadBuffer(Node* node) {
// TODO(bmeurer): This typing is not yet correct. Since we can still access 
   // out of bounds, the type in the general case has to include Undefined.
   switch (BufferAccessOf(node->op()).external_array_type()) {
-#define NATIVE_TYPE_CASE(Type) \
-  case kExternal##Type##Array: \
+#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) \
+  case kExternal##Type##Array:                          \
     return Bounds(typer_->cache_->Get(k##Type));
-    NATIVE_TYPES(NATIVE_TYPE_CASE)
-#undef NATIVE_TYPE_CASE
-    case kExternalUint8ClampedArray:
-      break;
+    TYPED_ARRAYS(TYPED_ARRAY_CASE)
+#undef TYPED_ARRAY_CASE
   }
   UNREACHABLE();
   return Bounds();
@@ -2088,14 +2089,11 @@ Type* Typer::Visitor::TypeConstant(Handle<Object> value) { 
     }
   } else if (value->IsJSTypedArray()) {
     switch (JSTypedArray::cast(*value)->type()) {
-#define NATIVE_TYPE_CASE(Type) \
-  case kExternal##Type##Array: \
+#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) \
+  case kExternal##Type##Array:                          \
     return typer_->cache_->Get(k##Type##Array);
-      NATIVE_TYPES(NATIVE_TYPE_CASE)
-#undef NATIVE_TYPE_CASE
-      case kExternalUint8ClampedArray:
- // TODO(rossberg): Do we want some ClampedArray type to express this? 
-        break;
+      TYPED_ARRAYS(TYPED_ARRAY_CASE)
+#undef TYPED_ARRAY_CASE
     }
   }
   return Type::Constant(value, zone());
Index: test/mjsunit/compiler/regress-446156.js
diff --git a/test/mjsunit/compiler/regress-444508.js b/test/mjsunit/compiler/regress-446156.js 
similarity index 66%
copy from test/mjsunit/compiler/regress-444508.js
copy to test/mjsunit/compiler/regress-446156.js
index e7d51ae831fd0c20dcbac1e825ac3740bcb7e953..f3cd2dd94ee0a466f9b1ee00fce9172588e1af88 100644 
--- a/test/mjsunit/compiler/regress-444508.js
+++ b/test/mjsunit/compiler/regress-446156.js
@@ -1,4 +1,4 @@
-// Copyright 2014 the V8 project authors. All rights reserved.
+// Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

@@ -6,6 +6,6 @@
   "use asm";
   // This is not valid asm.js, but should nevertheless work.
   var MEM = new Uint8ClampedArray(heap);
-  function foo(i) { MEM[0] = 1; }
+  function foo(  )  { MEM[0] ^=  1; }
   return {foo: foo};
-})(this, {}, new ArrayBuffer(64 * 1024)).foo();
+})(this, {}, new ArrayBuffer(  ) ).foo();


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to