[crankshaft] Properly handle OOB string accesses.

BUG=chromium:665793 Review-Url: https://codereview.chromium.org/2589823003 Cr-Commit-Position: refs/heads/master@{#41842}

[crankshaft] Properly handle OOB string accesses.
BUG=chromium:665793 Review-Url: https://codereview.chromium.org/2589823003 Cr-Commit-Position: refs/heads/master@{#41842}
576a46f5 · ishell · Commit bot · 119db080 · 576a46f5 · 576a46f5
Commit 576a46f5 authored Dec 20, 2016 by ishell Committed by Commit bot Dec 20, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

hydrogen.cc src/crankshaft/hydrogen.cc +6 -0

regress-crbug-665793.js test/mjsunit/regress/regress-crbug-665793.js +12 -0

No files found.
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@@ -7508,6 +7508,12 @@ void HOptimizedGraphBuilder::BuildLoad(Property* expr,
    HValue* string = Pop();
    HInstruction* char_code = BuildStringCharCodeAt(string, index);
    AddInstruction(char_code);
+    if (char_code->IsConstant()) {
+      HConstant* c_code = HConstant::cast(char_code);
+      if (c_code->HasNumberValue() && std::isnan(c_code->DoubleValue())) {
+        Add<HDeoptimize>(DeoptimizeReason::kOutOfBounds, Deoptimizer::EAGER);
+      }
+    }
    instr = NewUncasted<HStringCharFromCode>(char_code);

  } else if (expr->key()->IsPropertyName()) {

--- a/test/mjsunit/regress/regress-crbug-665793.js
+++ b/test/mjsunit/regress/regress-crbug-665793.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  return 'x'[1];
+}
+assertEquals(undefined, foo());
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo());