• Caitlin Potter's avatar
    [runtime] perform type conversion earlier in IntegerIndexedElementSet · 6c585ef0
    Caitlin Potter authored
    When storing an indexed property in a typed array, it's necessary to
    convert the value to a Number (or to a Bigint) before performing the
    bounds check, per
    https://tc39.github.io/ecma262/#sec-integerindexedelementset.
    
    This CL adds appropriate type conversions in
    Object::SetPropertyInternal (which technically is reached after the
    bounds check has already occurred, but this isn't observable yet ---
    In the future, once OOB accesses on TypedArrays actually throw, this
    will need to be refactored again), and in StoreFastElementStub, and
    ElementsTransitionAndStoreStub (via CSA::EmitElementStore).
    
    The change was not necessary in TurboFan, as
    JSNativeContextSpecialization already performs the value conversion
    before the boundscheck.
    
    The result is some fixed test262 tests, and some new test coverage
    for this behaviour in mjsunit.
    
    BUG=v8:7896, v8:5327
    R=neis@chromium.org, jkummerow@chromium.org, gsathya@chromium.org
    
    Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
    Change-Id: Ibe6bec24c72ef6a4fd3e77d5bcafa03737f4c5e3
    Reviewed-on: https://chromium-review.googlesource.com/1117372
    Commit-Queue: Caitlin Potter <caitp@igalia.com>
    Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
    Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#54096}
    6c585ef0
objects.cc 690 KB