[ic] KeyedLoadIC error on strings with negative indexes

We need to check if the index is less than zero and miss to the runtime if this is so. Bug: chromium:1257519 Change-Id: I7d22f2765232815120b8baf7b8b83d5b00024375 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3218975 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/main@{#77380}
2021-10-12 23:42:25 +02:00 · 2021-10-12 23:42:25 +02:00 · 84cfc9ca71
commit 84cfc9ca71
parent 2a00a4eceb
2 changed files with 26 additions and 2 deletions
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@ -590,15 +590,16 @@ void AccessorAssembler::HandleLoadICSmiHandlerCase(

        Comment("indexed string");
        TNode<String> string_holder = CAST(holder);
-        TNode<UintPtrT> index = Unsigned(TryToIntptr(p->name(), miss));
+        TNode<IntPtrT> index = TryToIntptr(p->name(), miss);
        TNode<UintPtrT> length =
            Unsigned(LoadStringLengthAsWord(string_holder));
        GotoIf(UintPtrGreaterThanOrEqual(index, length), &if_oob_string);
-        TNode<Int32T> code = StringCharCodeAt(string_holder, index);
+        TNode<Int32T> code = StringCharCodeAt(string_holder, Unsigned(index));
        TNode<String> result = StringFromSingleCharCode(code);
        Return(result);

        BIND(&if_oob_string);
+        GotoIf(IntPtrLessThan(index, IntPtrConstant(0)), miss);
        TNode<BoolT> allow_out_of_bounds =
            IsSetWord<LoadHandler::AllowOutOfBoundsBits>(handler_word);
        GotoIfNot(allow_out_of_bounds, miss);
--- a/test/mjsunit/regress/regress-crbug-1257519.js
+++ b/test/mjsunit/regress/regress-crbug-1257519.js
@ -0,0 +1,23 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+var a = "hello";
+function foo(i) {
+  var x = a[i];
+  return x;
+}
+
+// Set up the KeyedLoadIC for monomorphic string load.
+foo(4);
+foo(4);
+foo(4);
+// That also handles out of bounds indexes.
+assertEquals(foo(8), undefined);
+
+// Add a negative indexed property (not an element, so the
+// NoElement protector will not fire).
+Object.prototype[-1] = 2;
+assertEquals(2, foo(-1));