[v8-dev] Ensure we don't underflow in BCE (issue 1023123003 by [email protected])

Fri, 20 Mar 2015 08:59:19 -0700 

Reviewers: dcarney,

Message:
PTAL

Description:
Ensure we don't underflow in BCE

BUG=469148
LOG=y

Please review this at https://codereview.chromium.org/1023123003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+37, -1 lines):
  M src/hydrogen-bce.cc
  A test/mjsunit/regress/regress-bce-underflow.js


Index: src/hydrogen-bce.cc
diff --git a/src/hydrogen-bce.cc b/src/hydrogen-bce.cc
index 18bd0affb6ee2d2ba7a29e6000f576cc23352784..3bf8e9f03904c76ca9ee406cf5a4dbfed517148b 100644 
--- a/src/hydrogen-bce.cc
+++ b/src/hydrogen-bce.cc
@@ -56,7 +56,8 @@ class BoundsCheckKey : public ZoneObject {
       constant = HConstant::cast(check->index());
     }

-    if (constant != NULL && constant->HasInteger32Value()) {
+    if (constant != NULL && constant->HasInteger32Value() &&
+        constant->Integer32Value() != kMinInt) {
       *offset = is_sub ? - constant->Integer32Value()
                        : constant->Integer32Value();
     } else {
Index: test/mjsunit/regress/regress-bce-underflow.js
diff --git a/test/mjsunit/regress/regress-bce-underflow.js b/test/mjsunit/regress/regress-bce-underflow.js 
new file mode 100644
index 0000000000000000000000000000000000000000..daa776005e7b5bcb165cd04f2c6abf226fc720b3 
--- /dev/null
+++ b/test/mjsunit/regress/regress-bce-underflow.js
@@ -0,0 +1,35 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(a, i, bool) {
+  var result;
+  if (bool) {
+ // Make sure i - -0x80000000 doesn't overflow in BCE, missing a check for 
+    // x-0 later on.
+    result = f2(a, 0x7fffffff, i, i, -0x80000000);
+  } else {
+    result = f2(a, -3, 4, i, 0);
+  }
+  return result;
+}
+
+function f2(a, c, x, i, d) {
+  return a[x + c] + a[x - 0] + a[i - d];
+}
+
+
+var a = [];
+var i = 0;
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+f(a, 0, false);
+f(a, 0, false);
+f(a, 0, false);
+%OptimizeFunctionOnNextCall(f);
+%DebugPrint(f(a, -0x7fffffff, true));


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to