[turbofan] Fix bug in typed array iteration
... by making sure we deopt when the buffer is detached. Bug: chromium:1074736 Change-Id: I86e4e63014767766d7c079c3a3e38d947c76ef10 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168874 Commit-Queue: Georg Neis <neis@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#67437}
This commit is contained in:
parent
f8b23009bf
commit
0188a33c78
@ -5506,6 +5506,32 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node,
|
||||
return NoChange();
|
||||
}
|
||||
|
||||
if (array_kind == ArrayIteratorKind::kTypedArray) {
|
||||
// Make sure we deopt when the JSArrayBuffer is detached.
|
||||
if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
|
||||
CallParameters const& p = CallParametersOf(node->op());
|
||||
if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) {
|
||||
return NoChange();
|
||||
}
|
||||
Node* buffer = effect = graph()->NewNode(
|
||||
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
|
||||
receiver, effect, control);
|
||||
Node* buffer_bit_field = effect = graph()->NewNode(
|
||||
simplified()->LoadField(AccessBuilder::ForJSArrayBufferBitField()),
|
||||
buffer, effect, control);
|
||||
Node* check = graph()->NewNode(
|
||||
simplified()->NumberEqual(),
|
||||
graph()->NewNode(
|
||||
simplified()->NumberBitwiseAnd(), buffer_bit_field,
|
||||
jsgraph()->Constant(JSArrayBuffer::WasDetachedBit::kMask)),
|
||||
jsgraph()->ZeroConstant());
|
||||
effect = graph()->NewNode(
|
||||
simplified()->CheckIf(DeoptimizeReason::kArrayBufferWasDetached,
|
||||
p.feedback()),
|
||||
check, effect, control);
|
||||
}
|
||||
}
|
||||
|
||||
// Morph the {node} into a JSCreateArrayIterator with the given {kind}.
|
||||
RelaxControls(node);
|
||||
node->ReplaceInput(0, receiver);
|
||||
|
17
test/mjsunit/compiler/regress-1074736.js
Normal file
17
test/mjsunit/compiler/regress-1074736.js
Normal file
@ -0,0 +1,17 @@
|
||||
// Copyright 2020 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
// Flags: --allow-natives-syntax
|
||||
|
||||
var arr = new Uint8Array();
|
||||
%ArrayBufferDetach(arr.buffer);
|
||||
|
||||
function foo() {
|
||||
return arr[Symbol.iterator]();
|
||||
}
|
||||
|
||||
%PrepareFunctionForOptimization(foo);
|
||||
assertThrows(foo, TypeError);
|
||||
%OptimizeFunctionOnNextCall(foo);
|
||||
assertThrows(foo, TypeError);
|
Loading…
Reference in New Issue
Block a user