AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Fix bug in typed array iteration

Browse Source 
... by making sure we deopt when the buffer is detached.

Bug: chromium:1074736
Change-Id: I86e4e63014767766d7c079c3a3e38d947c76ef10
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168874
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67437}
This commit is contained in:
Georg Neis 2020-04-28 14:40:22 +02:00 committed by Commit Bot
parent f8b23009bf
commit 0188a33c78
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/compiler/js-call-reducer.cc
View File

@ -5506,6 +5506,32 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node,
return NoChange(); return NoChange();
} }
if (array_kind == ArrayIteratorKind::kTypedArray) {
// Make sure we deopt when the JSArrayBuffer is detached.
if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
CallParameters const& p = CallParametersOf(node->op());
if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) {
return NoChange();
}
Node* buffer = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
receiver, effect, control);
Node* buffer_bit_field = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferBitField()),
buffer, effect, control);
Node* check = graph()->NewNode(
simplified()->NumberEqual(),
graph()->NewNode(
simplified()->NumberBitwiseAnd(), buffer_bit_field,
jsgraph()->Constant(JSArrayBuffer::WasDetachedBit::kMask)),
jsgraph()->ZeroConstant());
effect = graph()->NewNode(
simplified()->CheckIf(DeoptimizeReason::kArrayBufferWasDetached,
p.feedback()),
check, effect, control);
}
}
// Morph the {node} into a JSCreateArrayIterator with the given {kind}. // Morph the {node} into a JSCreateArrayIterator with the given {kind}.
RelaxControls(node); RelaxControls(node);
node->ReplaceInput(0, receiver); node->ReplaceInput(0, receiver);

17
test/mjsunit/compiler/regress-1074736.js Normal file
View File

@ -0,0 +1,17 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var arr = new Uint8Array();
%ArrayBufferDetach(arr.buffer);
function foo() {
return arr[Symbol.iterator]();
}
%PrepareFunctionForOptimization(foo);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);