From 84cfc9ca7156ec6e593eaccc4dd1da39760ba164 Mon Sep 17 00:00:00 2001
From: Mike Stanton <mvstanton@chromium.org>
Date: Tue, 12 Oct 2021 23:42:25 +0200
Subject: [PATCH] [ic] KeyedLoadIC error on strings with negative indexes

We need to check if the index is less than zero and miss to the runtime
if this is so.

Bug: chromium:1257519
Change-Id: I7d22f2765232815120b8baf7b8b83d5b00024375
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3218975
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77380}
---
 src/ic/accessor-assembler.cc                  |  5 ++--
 test/mjsunit/regress/regress-crbug-1257519.js | 23 +++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-1257519.js

diff --git a/src/ic/accessor-assembler.cc b/src/ic/accessor-assembler.cc
index 2cd0575cb5..98c7b39913 100644
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@@ -590,15 +590,16 @@ void AccessorAssembler::HandleLoadICSmiHandlerCase(
 
         Comment("indexed string");
         TNode<String> string_holder = CAST(holder);
-        TNode<UintPtrT> index = Unsigned(TryToIntptr(p->name(), miss));
+        TNode<IntPtrT> index = TryToIntptr(p->name(), miss);
         TNode<UintPtrT> length =
             Unsigned(LoadStringLengthAsWord(string_holder));
         GotoIf(UintPtrGreaterThanOrEqual(index, length), &if_oob_string);
-        TNode<Int32T> code = StringCharCodeAt(string_holder, index);
+        TNode<Int32T> code = StringCharCodeAt(string_holder, Unsigned(index));
         TNode<String> result = StringFromSingleCharCode(code);
         Return(result);
 
         BIND(&if_oob_string);
+        GotoIf(IntPtrLessThan(index, IntPtrConstant(0)), miss);
         TNode<BoolT> allow_out_of_bounds =
             IsSetWord<LoadHandler::AllowOutOfBoundsBits>(handler_word);
         GotoIfNot(allow_out_of_bounds, miss);
diff --git a/test/mjsunit/regress/regress-crbug-1257519.js b/test/mjsunit/regress/regress-crbug-1257519.js
new file mode 100644
index 0000000000..45d9b3af68
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-1257519.js
@@ -0,0 +1,23 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+var a = "hello";
+function foo(i) {
+  var x = a[i];
+  return x;
+}
+
+// Set up the KeyedLoadIC for monomorphic string load.
+foo(4);
+foo(4);
+foo(4);
+// That also handles out of bounds indexes.
+assertEquals(foo(8), undefined);
+
+// Add a negative indexed property (not an element, so the
+// NoElement protector will not fire).
+Object.prototype[-1] = 2;
+assertEquals(2, foo(-1));