PPC/s390: [crankshaft] Fix Smi overflow in {HMaybeGrowElements}.

Port 6c12d57e Original Commit Message: This fixes the case where the index passed to {HMaybeGrowElements} used to derive the new capacity for the elements backing store does not fit into Smi range. Such an overflow would fail the capacity check and cause growing to be skipped. Subsequent keyed stores would potentially go out of bounds. R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com BUG=chromium:686427 LOG=N Review-Url: https://codereview.chromium.org/2697473004 Cr-Commit-Position: refs/heads/master@{#43167}

PPC/s390: [crankshaft] Fix Smi overflow in {HMaybeGrowElements}.
Port 6c12d57e Original Commit Message: This fixes the case where the index passed to {HMaybeGrowElements} used to derive the new capacity for the elements backing store does not fit into Smi range. Such an overflow would fail the capacity check and cause growing to be skipped. Subsequent keyed stores would potentially go out of bounds. R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com BUG=chromium:686427 LOG=N Review-Url: https://codereview.chromium.org/2697473004 Cr-Commit-Position: refs/heads/master@{#43167}
673bbcbb · bjaideep · Commit bot · 2dab40cc · 673bbcbb · 673bbcbb
Commit 673bbcbb authored Feb 13, 2017 by bjaideep Committed by Commit bot Feb 13, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 6 deletions

lithium-codegen-ppc.cc src/crankshaft/ppc/lithium-codegen-ppc.cc +12 -3

lithium-codegen-s390.cc src/crankshaft/s390/lithium-codegen-s390.cc +12 -3

No files found.
--- a/src/crankshaft/ppc/lithium-codegen-ppc.cc
+++ b/src/crankshaft/ppc/lithium-codegen-ppc.cc
@@ -4354,12 +4354,21 @@ void LCodeGen::DoDeferredMaybeGrowElements(LMaybeGrowElements* instr) {
      if (Smi::IsValid(int_key)) {
        __ LoadSmiLiteral(r6, Smi::FromInt(int_key));
      } else {
-        // We should never get here at runtime because there is a smi check on
-        // the key before this point.
-        __ stop("expected smi");
+        Abort(kArrayIndexConstantValueTooBig);
      }
    } else {
+      Label is_smi;
+#if V8_TARGET_ARCH_PPC64
      __ SmiTag(r6, ToRegister(key));
+#else
+      // Deopt if the key is outside Smi range. The stub expects Smi and would
+      // bump the elements into dictionary mode (and trigger a deopt) anyways.
+      __ SmiTagCheckOverflow(r6, ToRegister(key), r0);
+      __ BranchOnNoOverflow(&is_smi);
+      __ PopSafepointRegisters();
+      DeoptimizeIf(al, instr, DeoptimizeReason::kOverflow, cr0);
+      __ bind(&is_smi);
+#endif
    }

    GrowArrayElementsStub stub(isolate(), instr->hydrogen()->kind());

--- a/src/crankshaft/s390/lithium-codegen-s390.cc
+++ b/src/crankshaft/s390/lithium-codegen-s390.cc
@@ -4299,12 +4299,21 @@ void LCodeGen::DoDeferredMaybeGrowElements(LMaybeGrowElements* instr) {
      if (Smi::IsValid(int_key)) {
        __ LoadSmiLiteral(r5, Smi::FromInt(int_key));
      } else {
-        // We should never get here at runtime because there is a smi check on
-        // the key before this point.
-        __ stop("expected smi");
+        Abort(kArrayIndexConstantValueTooBig);
      }
    } else {
+      Label is_smi;
+#if V8_TARGET_ARCH_S390X
      __ SmiTag(r5, ToRegister(key));
+#else
+      // Deopt if the key is outside Smi range. The stub expects Smi and would
+      // bump the elements into dictionary mode (and trigger a deopt) anyways.
+      __ Add32(r5, ToRegister(key), ToRegister(key));
+      __ b(nooverflow, &is_smi);
+      __ PopSafepointRegisters();
+      DeoptimizeIf(al, instr, DeoptimizeReason::kOverflow, cr0);
+      __ bind(&is_smi);
+#endif
    }

    GrowArrayElementsStub stub(isolate(), instr->hydrogen()->kind());