Commit 142f9dfc authored by jkummerow's avatar jkummerow Committed by Commit bot

[crankshaft] TypedArrayInitialize: force length to be a Smi

BUG=chromium:650404

Review-Url: https://codereview.chromium.org/2371963002
Cr-Commit-Position: refs/heads/master@{#39744}
parent b48eb569
...@@ -10273,6 +10273,8 @@ void HOptimizedGraphBuilder::GenerateTypedArrayInitialize( ...@@ -10273,6 +10273,8 @@ void HOptimizedGraphBuilder::GenerateTypedArrayInitialize(
HInstruction* length = AddUncasted<HDiv>(byte_length, HInstruction* length = AddUncasted<HDiv>(byte_length,
Add<HConstant>(static_cast<int32_t>(element_size))); Add<HConstant>(static_cast<int32_t>(element_size)));
// Callers (in typedarray.js) ensure that length <= %_MaxSmi().
length = AddUncasted<HForceRepresentation>(length, Representation::Smi());
Add<HStoreNamedField>(obj, Add<HStoreNamedField>(obj,
HObjectAccess::ForJSTypedArrayLength(), HObjectAccess::ForJSTypedArrayLength(),
......
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function c4(w, h) {
var size = w * h;
if (size < 0) size = 0;
return new Uint32Array(size);
}
for (var i = 0; i < 3; i++) {
// Computing -0 as the result makes the "size = w * h" multiplication IC
// go into double mode.
c4(0, -1);
}
// Optimize Uint32ConstructFromLength.
for (var i = 0; i < 1000; i++) c4(2, 2);
// This array will have a HeapNumber as its length:
var bomb = c4(2, 2);
function reader(o, i) {
// Dummy try-catch, so that TurboFan is used to optimize this.
try {} catch(e) {}
return o[i];
}
// Optimize reader!
for (var i = 0; i < 3; i++) reader(bomb, 0);
%OptimizeFunctionOnNextCall(reader);
reader(bomb, 0);
for (var i = bomb.length; i < 100; i++) {
assertEquals(undefined, reader(bomb, i));
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment