AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[ic] Fix KeyedHasIC_SloppyArguments implementation

Browse Source 
... to be in sync with KeyedLoadIC_SloppyArguments in handling OOB
accesses which may involve prototype chain walk.

Bug: chromium:1063796
Change-Id: I8421c19085dfd2f3b6360c64fd04f53b1351576c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2174504
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67541}
This commit is contained in:
Igor Sheludko 2020-05-01 15:40:25 +02:00 committed by Commit Bot
parent d5157326eb
commit 0d44905481
2 changed files with 29 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/builtins/builtins-handler-gen.cc
View File

@ -158,31 +158,26 @@ TNode<Object> HandlerBuiltinsAssembler::EmitKeyedSloppyArguments(
TNode<IntPtrT> backing_store_length = TNode<IntPtrT> backing_store_length =
LoadAndUntagFixedArrayBaseLength(backing_store); LoadAndUntagFixedArrayBaseLength(backing_store);
if (access_mode == ArgumentsAccessMode::kHas) {
Label out_of_bounds(this);
GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length),
&out_of_bounds);
TNode<Object> result = LoadFixedArrayElement(backing_store, key);
var_result =
SelectBooleanConstant(TaggedNotEqual(result, TheHoleConstant()));
Goto(&end);
BIND(&out_of_bounds); // Out-of-bounds access may involve prototype chain walk and is handled
var_result = FalseConstant(); // in runtime.
Goto(&end); GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length), bailout);
// The key falls into unmapped range.
if (access_mode == ArgumentsAccessMode::kStore) {
StoreFixedArrayElement(backing_store, key, *value);
} else { } else {
GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length), bailout); TNode<Object> value = LoadFixedArrayElement(backing_store, key);
GotoIf(TaggedEqual(value, TheHoleConstant()), bailout);
// The key falls into unmapped range. if (access_mode == ArgumentsAccessMode::kHas) {
if (access_mode == ArgumentsAccessMode::kLoad) { var_result = TrueConstant();
TNode<Object> result = LoadFixedArrayElement(backing_store, key);
GotoIf(TaggedEqual(result, TheHoleConstant()), bailout);
var_result = result;
} else { } else {
StoreFixedArrayElement(backing_store, key, *value); DCHECK_EQ(access_mode, ArgumentsAccessMode::kLoad);
var_result = value;
} }
Goto(&end);
} }
Goto(&end);
} }
BIND(&end); BIND(&end);

15
test/mjsunit/regress/regress-crbug-1063796.js Normal file
View File

@ -0,0 +1,15 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Object.prototype[1] = 1;
function foo(baz) {
return 1 in arguments;
}
assertTrue(foo(0));
%PrepareFunctionForOptimization(foo);
assertTrue(foo(0));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(0));