[turbofan] Fix bug in typed array iteration

... by making sure we deopt when the buffer is detached. Bug: chromium:1074736 Change-Id: I86e4e63014767766d7c079c3a3e38d947c76ef10 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168874 Commit-Queue: Georg Neis <neis@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#67437}

[turbofan] Fix bug in typed array iteration
... by making sure we deopt when the buffer is detached. Bug: chromium:1074736 Change-Id: I86e4e63014767766d7c079c3a3e38d947c76ef10 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168874 Commit-Queue: Georg Neis <neis@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#67437}
0188a33c · Georg Neis · Commit Bot · f8b23009 · 0188a33c · 0188a33c
Commit 0188a33c authored Apr 28, 2020 by Georg Neis Committed by Commit Bot Apr 28, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 0 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +26 -0

regress-1074736.js test/mjsunit/compiler/regress-1074736.js +17 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -5506,6 +5506,32 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node,
    return NoChange();
  }

+  if (array_kind == ArrayIteratorKind::kTypedArray) {
+    // Make sure we deopt when the JSArrayBuffer is detached.
+    if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
+      CallParameters const& p = CallParametersOf(node->op());
+      if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) {
+        return NoChange();
+      }
+      Node* buffer = effect = graph()->NewNode(
+          simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
+          receiver, effect, control);
+      Node* buffer_bit_field = effect = graph()->NewNode(
+          simplified()->LoadField(AccessBuilder::ForJSArrayBufferBitField()),
+          buffer, effect, control);
+      Node* check = graph()->NewNode(
+          simplified()->NumberEqual(),
+          graph()->NewNode(
+              simplified()->NumberBitwiseAnd(), buffer_bit_field,
+              jsgraph()->Constant(JSArrayBuffer::WasDetachedBit::kMask)),
+          jsgraph()->ZeroConstant());
+      effect = graph()->NewNode(
+          simplified()->CheckIf(DeoptimizeReason::kArrayBufferWasDetached,
+                                p.feedback()),
+          check, effect, control);
+    }
+  }
+
  // Morph the {node} into a JSCreateArrayIterator with the given {kind}.
  RelaxControls(node);
  node->ReplaceInput(0, receiver);

--- a/test/mjsunit/compiler/regress-1074736.js
+++ b/test/mjsunit/compiler/regress-1074736.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var arr = new Uint8Array();
+%ArrayBufferDetach(arr.buffer);
+
+function foo() {
+  return arr[Symbol.iterator]();
+}
+
+%PrepareFunctionForOptimization(foo);
+assertThrows(foo, TypeError);
+%OptimizeFunctionOnNextCall(foo);
+assertThrows(foo, TypeError);