[turbofan] Don't inline DataView#byte{Length,Offset} without detach protector

Currently the same reduction is used for both TypedArray's and DataView's byte{Length,Offset} accessors. But their behavior differ on detached buffers: TypedArray returns 0 while DataView throw. Do not do the optimization for DataViews if we can't depend on the detach protector. Bug: chromium:1344549 Change-Id: I38b533a62f756869380cb5c19fe254e03979e81a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763785Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#81754}

[turbofan] Don't inline DataView#byte{Length,Offset} without detach protector
Currently the same reduction is used for both TypedArray's and DataView's byte{Length,Offset} accessors. But their behavior differ on detached buffers: TypedArray returns 0 while DataView throw. Do not do the optimization for DataViews if we can't depend on the detach protector. Bug: chromium:1344549 Change-Id: I38b533a62f756869380cb5c19fe254e03979e81a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763785Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#81754}
88e53817 · Shu-yu Guo · V8 LUCI CQ · 2d4f043a · 88e53817 · 88e53817
Commit 88e53817 authored Jul 15, 2022 by Shu-yu Guo Committed by V8 LUCI CQ Jul 15, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 55 additions and 1 deletion

js-call-reducer.cc src/compiler/js-call-reducer.cc +12 -1

regress-crbug-1344549.js test/mjsunit/regress/regress-crbug-1344549.js +43 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -7933,12 +7933,23 @@ Reduction JSCallReducer::ReduceArrayBufferViewAccessor(

  CHECK(inference.RelyOnMapsViaStability(dependencies()));

+  const bool depended_on_detaching_protector =
+      dependencies()->DependOnArrayBufferDetachingProtector();
+  if (!depended_on_detaching_protector && instance_type == JS_DATA_VIEW_TYPE) {
+    // DataView prototype accessors throw on detached ArrayBuffers instead of
+    // return 0, so skip the optimization.
+    //
+    // TODO(turbofan): Ideally we would bail out if the buffer is actually
+    // detached.
+    return inference.NoChange();
+  }
+
  // Load the {receiver}s field.
  Node* value = effect = graph()->NewNode(simplified()->LoadField(access),
                                          receiver, effect, control);

  // See if we can skip the detaching check.
-  if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
+  if (!depended_on_detaching_protector) {
    // Check whether {receiver}s JSArrayBuffer was detached.
    Node* buffer = effect = graph()->NewNode(
        simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),

--- a/test/mjsunit/regress/regress-crbug-1344549.js
+++ b/test/mjsunit/regress/regress-crbug-1344549.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// DataView.prototype.byteLength and DataView.prototype.byteOffset throw on
+// detached ArrayBuffers, unlike the TypedArray.prototype counterparts. Turbofan
+// should not reduce them the same way.
+
+let ab = new ArrayBuffer();
+let dv = new DataView(ab);
+%ArrayBufferDetach(ab);
+
+function TestByteLength(dv) {
+  let caught = 0;
+  for (let i = 0; i < 64; i++) {
+    try {
+      dv.byteLength;
+    } catch (e) {
+      caught++;
+    }
+    if (i == 2) %OptimizeOsr();
+  }
+  assertEquals(64, caught);
+}
+%PrepareFunctionForOptimization(TestByteLength);
+TestByteLength(dv);
+
+function TestByteOffset(dv) {
+  let caught = 0;
+  for (let i = 0; i < 64; i++) {
+    try {
+      dv.byteOffset;
+    } catch (e) {
+      caught++;
+    }
+    if (i == 2) %OptimizeOsr();
+  }
+  assertEquals(64, caught);
+}
+%PrepareFunctionForOptimization(TestByteOffset);
+TestByteOffset(dv);