AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
ff1dba398d
v8/test/mjsunit/regress-1358505.js
Nico Hartmann cfc4a2d16e Reland^2 "[turbofan] Optimize rab/gsab-backed TypedArrays and DataViews" 
This reverts commit 57db447bf2.

This reland adds handling for Oddballs in Int64Add and Int64Sub in the
SLVerifier and updates the Verifier to check that Int32Constant and
Int64Constant are correctly typed with Type::Machine().

Original change's description:
> [turbofan] Optimize rab/gsab-backed TypedArrays and DataViews
>
> This CL adds TurboFan optimizations for length and element access
> of TypedArrays and DataViews that are rab/gsab-backed.
>
> To enable this optimization, this CL builds the necessary machinery
> required to allow machine operators at the front of the pipeline
> (before simplified lowering). Some key changes to allow this are:
>  - Introduce Type::Machine() to allow the typer and the verifier to
>    provide a type to those machine operators in parts of the pipeline
>    that require nodes to be typed.
>  - Add EnterMachineGraph and ExitMachineGraph operators that define
>    the boundary between early machine graphs and the normal graph with
>    JS semantics.
>  - Give Branch operators a BranchSemantics parameter to distinguish
>    between machine branches (condition is a machine level value) and
>    JS branches (condition is a JS boolean value) and have phases that
>    handle branches decide on the branch's semantics based on this
>    parameter instead of the position in the pipeline.
>  - Extend SimplifiedLowering and SimplifiedLoweringVerifier to handle
>    machine graphs. In particular, constants required special handling,
>    because they are cached in the graph but they may have uses in both
>    a machine and the JS graph, which prevents consistent typing of
>    them.
>  - Moved lots of logic from JSCallReducerAssembler into
>    [JS]GraphAssembler such that functionality can be shared between
>    different phases (e.g. JSNativeContextSpecialization and
>    JSCallReducer need to generate logic to compute a TypedArray's
>    byte length). Extended assembler interface in general with
>    additional TNode<> overloads.
>
>
> Bug: v8:11111, chromium:1358505
> Change-Id: Ife006b8c38a83045cd3b8558acbfdcb66408891f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898690
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83881}

Bug: v8:11111, chromium:1358505, v8:13412, chromium:1378439, chromium:1378162
Change-Id: I89702c4be05e0e71cd6836dc50d2e26736a55429
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3980759
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83956}
2022-10-27 13:06:06 +00:00

52 lines
1.4 KiB
JavaScript
Raw Blame History

// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --harmony-rab-gsab
(function Test_OOB() {
function f() {
try {
const buffer = new ArrayBuffer(42, {'maxByteLength': 42});
const view = new DataView(buffer, 0, 42);
// Resize the buffer to smaller than the view.
buffer.resize(20);
// Any access in the view should throw.
view.setInt8(11, 0xab);
return 'did not prevent out-of-bounds access';
} catch (e) {
return 'ok';
}
}
%PrepareFunctionForOptimization(f);
assertEquals('ok', f());
assertEquals('ok', f());
%OptimizeFunctionOnNextCall(f);
assertEquals('ok', f());
assertEquals('ok', f());
}());
(function Test_OOB_WithOffset() {
function f() {
try {
const buffer = new ArrayBuffer(42, {'maxByteLength': 42});
const view = new DataView(buffer, 30, 42);
// Resize the buffer to smaller than the view.
buffer.resize(40);
// Any access in the view should throw.
view.setInt8(11, 0xab);
return 'did not prevent out-of-bounds access';
} catch (e) {
return 'ok';
}
}
%PrepareFunctionForOptimization(f);
assertEquals('ok', f());
assertEquals('ok', f());
%OptimizeFunctionOnNextCall(f);
assertEquals('ok', f());
assertEquals('ok', f());
}());
Reference in New Issue View Git Blame Copy Permalink