[debug] whitelist Array.p.splice, typeof methods

Side effect free whitelist now - supports 'typeof' when it performs Load operations - runtime checks for Array.p.splice Bug: v8:7588 Change-Id: I45bcd705f8d3f2d2ee61f018566439bf56d1bcbc Reviewed-on: https://chromium-review.googlesource.com/1037926 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Erik Luo <luoe@chromium.org> Cr-Commit-Position: refs/heads/master@{#52976}
2018-05-03 14:16:49 -07:00 · 2018-05-03 14:16:49 -07:00 · 405c1dc7d4
commit 405c1dc7d4
parent c4a04312fa
4 changed files with 19 additions and 3 deletions
--- a/src/debug/debug-evaluate.cc
+++ b/src/debug/debug-evaluate.cc
@ -348,6 +348,7 @@ bool IntrinsicHasNoSideEffect(Runtime::FunctionId id) {
  V(EstimateNumberOfElements)            \
  V(GetArrayKeys)                        \
  V(HasComplexElements)                  \
+  V(HasFastPackedElements)               \
  V(NewArray)                            \
  V(NormalizeElements)                   \
  V(RemoveArrayHoles)                    \
@ -495,6 +496,8 @@ bool BytecodeHasNoSideEffect(interpreter::Bytecode bytecode) {
    case Bytecode::kLdaGlobal:
    case Bytecode::kLdaNamedProperty:
    case Bytecode::kLdaKeyedProperty:
+    case Bytecode::kLdaGlobalInsideTypeof:
+    case Bytecode::kLdaLookupSlotInsideTypeof:
    // Arithmetics.
    case Bytecode::kAdd:
    case Bytecode::kAddSmi:
@ -871,6 +874,7 @@ SharedFunctionInfo::SideEffectState BuiltinGetSideEffectState(
    case Builtins::kArrayPrototypePop:
    case Builtins::kArrayPrototypePush:
    case Builtins::kArrayPrototypeShift:
+    case Builtins::kArraySplice:
    case Builtins::kArrayUnshift:
    // Map builtins.
    case Builtins::kMapIteratorPrototypeNext:
--- a/test/debugger/debug/side-effect/debug-evaluate-no-side-effect-builtins-2.js
+++ b/test/debugger/debug/side-effect/debug-evaluate-no-side-effect-builtins-2.js
@ -12,6 +12,10 @@ var weak_key = [];
 var weak_map = new WeakMap().set(weak_key, "a").set({}, "b");
 var weak_set = new WeakSet([weak_key, {}]);
 var add = function (a, b) { return a + b; };
+var number_value = 13;
+function get_number() {
+  return typeof(number_value);
+};

 function listener(event, exec_state, event_data, data) {
  if (event != Debug.DebugEvent.Break) return;
@ -67,6 +71,8 @@ function listener(event, exec_state, event_data, data) {
    success("abc", `unescape("abc")`);
    success(true, `isFinite(0)`);
    success(true, `isNaN(0/0)`);
+    success("object", `typeof date`);
+    success("number", `get_number()`);

    // Test Map functions.
    success(undefined, `new Map()`);
--- a/test/debugger/debug/side-effect/debug-evaluate-no-side-effect-builtins.js
+++ b/test/debugger/debug/side-effect/debug-evaluate-no-side-effect-builtins.js
@ -89,9 +89,6 @@ function listener(event, exec_state, event_data, data) {
      }
    }

-    success([1,1,1], '[1,2,3].fill(1)');
-    fail(`array.fill(1)`);
-
    // Test ArrayBuffer functions.
    success(3, `array_buffer.byteLength`);
    success(2, `array_buffer.slice(1, 3).byteLength`);
--- a/test/debugger/debug/side-effect/debug-evaluate-no-side-effect-runtime-check.js
+++ b/test/debugger/debug/side-effect/debug-evaluate-no-side-effect-runtime-check.js
@ -95,15 +95,24 @@ fail(`(() => {
 })()`);

 // Array builtins with temporary objects
+success([1,1,1], '[1,2,3].fill(1)');
+fail(`array.fill(1)`);
+
 success([1], `(() => { const a = []; a.push(1); return a; })()`);
 fail(`array.push(1)`);

 success([1], `(() => { const a = [1,2]; a.pop(); return a; })()`);
 fail(`array.pop()`);

+success([3,2,1], `[1,2,3].reverse()`);
+fail(`array.reverse()`);
+
 success([1,2,3], `[2,1,3].sort()`);
 fail(`array.sort()`);

+success([2,3], `[1,2,3].splice(1,2)`);
+fail(`array.splice(1,2)`);
+
 success([1,2], `(() => { const a = [2]; a.unshift(1); return a; })()`);
 fail(`array.unshift(1)`);
 success(1, `[1,2].shift()`);