[Interpreter] Add check that local registers are valid.

Check that a register used as a local is within the bytecode array's local count. BUG=chromium:706234 Change-Id: I51f6a0a8be065b93b9a4e1dca623e98c51685b51 Reviewed-on: https://chromium-review.googlesource.com/464768Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#44308}

[Interpreter] Add check that local registers are valid.
Check that a register used as a local is within the bytecode array's local count. BUG=chromium:706234 Change-Id: I51f6a0a8be065b93b9a4e1dca623e98c51685b51 Reviewed-on: https://chromium-review.googlesource.com/464768Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#44308}
a4c6126a · Ross McIlroy · Commit Bot · cc047635 · a4c6126a · a4c6126a
Commit a4c6126a authored Mar 31, 2017 by Ross McIlroy Committed by Commit Bot Mar 31, 2017
Showing with 12 additions and 5 deletions

bytecode-array-builder.cc src/interpreter/bytecode-array-builder.cc +6 -0

bytecode-array-builder.h src/interpreter/bytecode-array-builder.h +1 -0

bytecode-generator.cc src/interpreter/bytecode-generator.cc +5 -5

No files found.
--- a/src/interpreter/bytecode-array-builder.cc
+++ b/src/interpreter/bytecode-array-builder.cc
@@ -77,6 +77,12 @@ Register BytecodeArrayBuilder::Receiver() const {
  return Register::FromParameterIndex(0, parameter_count());
 }

+Register BytecodeArrayBuilder::Local(int index) const {
+  // TODO(marja): Make a DCHECK once crbug.com/706234 is fixed.
+  CHECK_LT(index, locals_count());
+  return Register(index);
+}
+
 Handle<BytecodeArray> BytecodeArrayBuilder::ToBytecodeArray(Isolate* isolate) {
  DCHECK(return_seen_in_block_);
  DCHECK(!bytecode_generated_);

--- a/src/interpreter/bytecode-array-builder.h
+++ b/src/interpreter/bytecode-array-builder.h
@@ -72,6 +72,7 @@ class V8_EXPORT_PRIVATE BytecodeArrayBuilder final
    return register_allocator()->maximum_register_count();
  }

+  Register Local(int index) const;
  Register Parameter(int parameter_index) const;
  Register Receiver() const;


--- a/src/interpreter/bytecode-generator.cc
+++ b/src/interpreter/bytecode-generator.cc
@@ -899,7 +899,7 @@ void BytecodeGenerator::VisitVariableDeclaration(VariableDeclaration* decl) {
    }
    case VariableLocation::LOCAL:
      if (variable->binding_needs_init()) {
-        Register destination(variable->index());
+        Register destination(builder()->Local(variable->index()));
        builder()->LoadTheHole().StoreAccumulatorInRegister(destination);
      }
      break;
@@ -1922,7 +1922,7 @@ void BytecodeGenerator::BuildVariableLoad(Variable* variable, FeedbackSlot slot,
                                          TypeofMode typeof_mode) {
  switch (variable->location()) {
    case VariableLocation::LOCAL: {
-      Register source(Register(variable->index()));
+      Register source(builder()->Local(variable->index()));
      // We need to load the variable into the accumulator, even when in a
      // VisitForRegisterScope, in order to avoid register aliasing if
      // subsequent expressions assign to the same variable.
@@ -2150,12 +2150,12 @@ void BytecodeGenerator::BuildVariableAssignment(Variable* variable,
      Register destination;
      if (VariableLocation::PARAMETER == variable->location()) {
        if (variable->IsReceiver()) {
-          destination = Register(builder()->Receiver());
+          destination = builder()->Receiver();
        } else {
-          destination = Register(builder()->Parameter(variable->index()));
+          destination = builder()->Parameter(variable->index());
        }
      } else {
-        destination = Register(variable->index());
+        destination = builder()->Local(variable->index());
      }

      if (hole_check_mode == HoleCheckMode::kRequired) {