[builtins] Allow TypedArray constructor to accept big negative numbers.

Previously we enforced that all lengths for ArrayLike objects must be within Smi range, but all negative numbers should actually be first converted to +0. Bug: chromium:740372 Change-Id: If50de9ce0eeb7cb09e14b8e8803f434350d00508 Reviewed-on: https://chromium-review.googlesource.com/566867 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#46615}
2017-07-12 17:45:44 +02:00 · 2017-07-12 17:45:44 +02:00 · d11da5891f
commit d11da5891f
parent de3a85d1c1
2 changed files with 11 additions and 3 deletions
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@ -4826,9 +4826,11 @@ Node* CodeStubAssembler::ToSmiLength(Node* input, Node* const context,
  BIND(&to_integer);
  result.Bind(ToInteger(context, result.value(),
                        CodeStubAssembler::kTruncateMinusZero));
-  GotoIfNot(TaggedIsSmi(result.value()), range_error);
-  CSA_ASSERT(this, TaggedIsSmi(result.value()));
-  Goto(&negative_check);
+  GotoIf(TaggedIsSmi(result.value()), &negative_check);
+  // result.value() can still be a negative HeapNumber here.
+  Branch(IsTrue(CallBuiltin(Builtins::kLessThan, context, result.value(),
+                            SmiConstant(0))),
+         &return_zero, range_error);

  BIND(&negative_check);
  Branch(SmiLessThan(result.value(), SmiConstant(0)), &return_zero, &done);
--- a/test/mjsunit/es6/typedarray-construct-by-array-like.js
+++ b/test/mjsunit/es6/typedarray-construct-by-array-like.js
@ -196,6 +196,12 @@ tests.push(function TestOffsetIsUsed(constr) {
  TestOffsetIsUsedRunner(constr, 128);
 });

+tests.push(function TestLengthIsNonSmiNegativeNumber(constr) {
+  var ta = new constr({length: -%_MaxSmi() - 2});
+
+  assertEquals(0, ta.length);
+});
+
 // Helpers for above tests.

 function TestOffsetIsUsedRunner(constr, n) {