[turbofan] NumberToString can return non-sequential strings.

TurboFan assumed that the output of NumberToString is always a sequential string, since that's what we put into the number to string table. However we might eventually morph these strings into ThinStrings when we need to internalize them, in which case the type in TurboFan will be wrong, and we read out of bounds. Also-By: tebbi@chromium.org Bug: chromium:822284 Change-Id: I5aebe73028b95849fff72bba262c517677112353 Reviewed-on: https://chromium-review.googlesource.com/964523 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#51970}
2018-03-15 17:00:41 +01:00 · 2018-03-15 17:00:41 +01:00 · c65f0a78c3
commit c65f0a78c3
parent 3813cbf210
2 changed files with 23 additions and 1 deletions
--- a/src/compiler/operation-typer.cc
+++ b/src/compiler/operation-typer.cc
@ -510,7 +510,7 @@ Type* OperationTyper::NumberToString(Type* type) {
  if (type->IsNone()) return type;
  if (type->Is(Type::NaN())) return singleton_NaN_string_;
  if (type->Is(cache_.kZeroOrMinusZero)) return singleton_zero_string_;
-  return Type::SeqString();
+  return Type::String();
 }

 Type* OperationTyper::NumberToUint32(Type* type) {
--- a/test/mjsunit/regress/regress-crbug-822284.js
+++ b/test/mjsunit/regress/regress-crbug-822284.js
@ -0,0 +1,22 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a) {
+  a = "" + Math.abs(a);
+  return a.charCodeAt(0);
+}
+
+// Add '1' to the number to string table (as SeqString).
+String.fromCharCode(49);
+
+// Turn the SeqString into a ThinString via forced internalization.
+const o = {};
+o[(1).toString()] = 1;
+
+assertEquals(49, foo(1));
+assertEquals(49, foo(1));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(49, foo(1));