Ensure we don't overflow in BCE

BUG=chromium:469148 LOG=y R=dcarney@chromium.org Review URL: https://codereview.chromium.org/1023123003 Cr-Commit-Position: refs/heads/master@{#27346}

Ensure we don't overflow in BCE
BUG=chromium:469148 LOG=y R=dcarney@chromium.org Review URL: https://codereview.chromium.org/1023123003 Cr-Commit-Position: refs/heads/master@{#27346}
0f573464 · Toon Verwaest · 371ae8c7 · 0f573464 · 0f573464
Commit 0f573464 authored Mar 20, 2015 by Toon Verwaest
Show whitespace changes
Inline Side-by-side

Showing with 37 additions and 1 deletion

hydrogen-bce.cc src/hydrogen-bce.cc +2 -1

regress-bce-underflow.js test/mjsunit/regress/regress-bce-underflow.js +35 -0

No files found.
--- a/src/hydrogen-bce.cc
+++ b/src/hydrogen-bce.cc
@@ -56,7 +56,8 @@ class BoundsCheckKey : public ZoneObject {
      constant = HConstant::cast(check->index());
    }
-    if (constant != NULL && constant->HasInteger32Value()) {
+    if (constant != NULL && constant->HasInteger32Value() &&
+        constant->Integer32Value() != kMinInt) {
      *offset = is_sub ? - constant->Integer32Value()
                       : constant->Integer32Value();
    } else {

--- a/test/mjsunit/regress/regress-bce-underflow.js
+++ b/test/mjsunit/regress/regress-bce-underflow.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --allow-natives-syntax
+function f(a, i, bool) {
+  var result;
+  if (bool) {
+    // Make sure i - -0x80000000 doesn't overflow in BCE, missing a check for
+    // x-0 later on.
+    result = f2(a, 0x7fffffff, i, i, -0x80000000);
+  } else {
+    result = f2(a, -3, 4, i, 0);
+  }
+  return result;
+}
+function f2(a, c, x, i, d) {
+  return a[x + c] + a[x - 0] + a[i - d];
+}
+var a = [];
+var i = 0;
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+f(a, 0, false);
+f(a, 0, false);
+f(a, 0, false);
+%OptimizeFunctionOnNextCall(f);
+%DebugPrint(f(a, -0x7fffffff, true));