Ensure we don't overflow in BCE

BUG=chromium:469148 LOG=y R=dcarney@chromium.org Review URL: https://codereview.chromium.org/1023123003 Cr-Commit-Position: refs/heads/master@{#27346}
2015-03-20 17:42:51 +01:00 · 2015-03-20 17:42:51 +01:00 · 0f573464e6
commit 0f573464e6
parent 371ae8c7ad
2 changed files with 37 additions and 1 deletions
--- a/src/hydrogen-bce.cc
+++ b/src/hydrogen-bce.cc
@ -56,7 +56,8 @@ class BoundsCheckKey : public ZoneObject {
      constant = HConstant::cast(check->index());
    }

-    if (constant != NULL && constant->HasInteger32Value()) {
+    if (constant != NULL && constant->HasInteger32Value() &&
+        constant->Integer32Value() != kMinInt) {
      *offset = is_sub ? - constant->Integer32Value()
                       : constant->Integer32Value();
    } else {
--- a/test/mjsunit/regress/regress-bce-underflow.js
+++ b/test/mjsunit/regress/regress-bce-underflow.js
@ -0,0 +1,35 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(a, i, bool) {
+  var result;
+  if (bool) {
+    // Make sure i - -0x80000000 doesn't overflow in BCE, missing a check for
+    // x-0 later on.
+    result = f2(a, 0x7fffffff, i, i, -0x80000000);
+  } else {
+    result = f2(a, -3, 4, i, 0);
+  }
+  return result;
+}
+
+function f2(a, c, x, i, d) {
+  return a[x + c] + a[x - 0] + a[i - d];
+}
+
+
+var a = [];
+var i = 0;
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+f(a, 0, false);
+f(a, 0, false);
+f(a, 0, false);
+%OptimizeFunctionOnNextCall(f);
+%DebugPrint(f(a, -0x7fffffff, true));