Ensure we don't overflow in BCE

BUG=chromium:469148
LOG=y
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/1023123003

Cr-Commit-Position: refs/heads/master@{#27346}
This commit is contained in:
Toon Verwaest 2015-03-20 17:42:51 +01:00
parent 371ae8c7ad
commit 0f573464e6
2 changed files with 37 additions and 1 deletions

View File

@ -56,7 +56,8 @@ class BoundsCheckKey : public ZoneObject {
constant = HConstant::cast(check->index());
}
if (constant != NULL && constant->HasInteger32Value()) {
if (constant != NULL && constant->HasInteger32Value() &&
constant->Integer32Value() != kMinInt) {
*offset = is_sub ? - constant->Integer32Value()
: constant->Integer32Value();
} else {

View File

@ -0,0 +1,35 @@
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(a, i, bool) {
var result;
if (bool) {
// Make sure i - -0x80000000 doesn't overflow in BCE, missing a check for
// x-0 later on.
result = f2(a, 0x7fffffff, i, i, -0x80000000);
} else {
result = f2(a, -3, 4, i, 0);
}
return result;
}
function f2(a, c, x, i, d) {
return a[x + c] + a[x - 0] + a[i - d];
}
var a = [];
var i = 0;
a.push(i++);
a.push(i++);
a.push(i++);
a.push(i++);
a.push(i++);
f(a, 0, false);
f(a, 0, false);
f(a, 0, false);
%OptimizeFunctionOnNextCall(f);
%DebugPrint(f(a, -0x7fffffff, true));