Reviewers: ulan,
Description:
Check in Lithium that allocation size in Smi range.
This is to avoid triggering an assertion from Smi::FromInt. The
generated code is unreachable, so it is not a real bug.
[email protected]
BUG=
Please review this at https://codereview.chromium.org/221743005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+23, -11 lines):
M src/arm/lithium-codegen-arm.cc
M src/ia32/lithium-codegen-ia32.cc
A + test/mjsunit/regress/regress-alloc-smi-check.js
Index: src/arm/lithium-codegen-arm.cc
diff --git a/src/arm/lithium-codegen-arm.cc b/src/arm/lithium-codegen-arm.cc
index
63e60ba66b00a11c106d4dee938fcdf0c316e07c..e30b25b58691273ccb210fdaa30dc560283c86ce
100644
--- a/src/arm/lithium-codegen-arm.cc
+++ b/src/arm/lithium-codegen-arm.cc
@@ -5357,7 +5357,13 @@ void LCodeGen::DoDeferredAllocate(LAllocate* instr) {
__ push(size);
} else {
int32_t size = ToInteger32(LConstantOperand::cast(instr->size()));
- __ Push(Smi::FromInt(size));
+ if (size >= 0 && size <= Smi::kMaxValue) {
+ __ Push(Smi::FromInt(size));
+ } else {
+ // We should never get here at runtime => abort
+ __ stop("invalid allocation size");
+ return;
+ }
}
int flags = AllocateDoubleAlignFlag::encode(
Index: src/ia32/lithium-codegen-ia32.cc
diff --git a/src/ia32/lithium-codegen-ia32.cc
b/src/ia32/lithium-codegen-ia32.cc
index
6c934b7ce9a7654a3b8fd6faa4238a2481f899dd..322df344900c3c99cfa9daf0f66c0a78139ce1a4
100644
--- a/src/ia32/lithium-codegen-ia32.cc
+++ b/src/ia32/lithium-codegen-ia32.cc
@@ -5951,7 +5951,13 @@ void LCodeGen::DoDeferredAllocate(LAllocate* instr) {
__ push(size);
} else {
int32_t size = ToInteger32(LConstantOperand::cast(instr->size()));
- __ push(Immediate(Smi::FromInt(size)));
+ if (size >= 0 && size <= Smi::kMaxValue) {
+ __ push(Immediate(Smi::FromInt(size)));
+ } else {
+ // We should never get here at runtime => abort
+ __ int3();
+ return;
+ }
}
int flags = AllocateDoubleAlignFlag::encode(
Index: test/mjsunit/regress/regress-alloc-smi-check.js
diff --git a/test/mjsunit/regress/regress-crbug-357330.js
b/test/mjsunit/regress/regress-alloc-smi-check.js
similarity index 68%
copy from test/mjsunit/regress/regress-crbug-357330.js
copy to test/mjsunit/regress/regress-alloc-smi-check.js
index
b3edf00843e1a9d202212c24d96dc3ad5d027f12..295048a13ef862ceb21939de104e7968dd7772da
100644
--- a/test/mjsunit/regress/regress-crbug-357330.js
+++ b/test/mjsunit/regress/regress-alloc-smi-check.js
@@ -1,16 +1,16 @@
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-
+//
// Flags: --allow-natives-syntax
-function f(foo) {
- var g;
- true ? (g = foo + 0) : g = null;
- if (null != g) {}
-};
+var x = {};
+
+function f(a) {
+ a[200000000] = x;
+}
-f(1.4);
-f(1.4);
+f(new Array(100000));
+f([]);
%OptimizeFunctionOnNextCall(f);
-f(1.4);
+f([]);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
