Commit 8e458891 authored by Peter Marshall's avatar Peter Marshall Committed by Commit Bot

[turbofan] Relax range for arguments object length

Bug: chromium:906043
Change-Id: I3a397447be186eff7e6b2ab25341718b6c0d205d
Reviewed-on: https://chromium-review.googlesource.com/c/1356507
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57965}
parent 18b28402
...@@ -166,8 +166,7 @@ class TypeCache final { ...@@ -166,8 +166,7 @@ class TypeCache final {
Type::Union(Type::SignedSmall(), Type::NaN(), zone()); Type::Union(Type::SignedSmall(), Type::NaN(), zone());
// The valid number of arguments for JavaScript functions. // The valid number of arguments for JavaScript functions.
Type const kArgumentsLengthType = Type const kArgumentsLengthType = Type::Unsigned30();
Type::Range(0.0, Code::kMaxArguments, zone());
// The JSArrayIterator::kind property always contains an integer in the // The JSArrayIterator::kind property always contains an integer in the
// range [0, 2], representing the possible IterationKinds. // range [0, 2], representing the possible IterationKinds.
......
...@@ -1258,8 +1258,7 @@ void Verifier::Visitor::Check(Node* node, const AllNodes& all) { ...@@ -1258,8 +1258,7 @@ void Verifier::Visitor::Check(Node* node, const AllNodes& all) {
break; break;
case IrOpcode::kNewArgumentsElements: case IrOpcode::kNewArgumentsElements:
CheckValueInputIs(node, 0, Type::ExternalPointer()); CheckValueInputIs(node, 0, Type::ExternalPointer());
CheckValueInputIs(node, 1, Type::Range(-Code::kMaxArguments, CheckValueInputIs(node, 1, Type::Unsigned30());
Code::kMaxArguments, zone));
CheckTypeIs(node, Type::OtherInternal()); CheckTypeIs(node, Type::OtherInternal());
break; break;
case IrOpcode::kNewConsString: case IrOpcode::kNewConsString:
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function fun(arg) {
let x = arguments.length;
a1 = new Array(0x10);
a1[0] = 1.1;
a2 = new Array(0x10);
a2[0] = 1.1;
a1[(x >> 16) * 21] = 1.39064994160909e-309; // 0xffff00000000
a1[(x >> 16) * 41] = 8.91238232205e-313; // 0x2a00000000
}
var a1, a2;
var a3 = [1.1, 2.2];
a3.length = 0x11000;
a3.fill(3.3);
var a4 = [1.1];
for (let i = 0; i < 3; i++) fun(...a4);
%OptimizeFunctionOnNextCall(fun);
fun(...a4);
res = fun(...a3);
assertEquals(16, a2.length);
for (let i = 8; i < 32; i++) {
assertEquals(undefined, a2[i]);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment