Commit a55608d8 authored by Tobias Tebbi's avatar Tobias Tebbi Committed by Commit Bot

Reland "[csa] disable selected bounds checks for remaining regressions"

This is a reland of c3148664

Original change's description:
> [csa] disable selected bounds checks for remaining regressions
>
> Bug: chromium:932919
> TBR: jarin@chromium.org
> Change-Id: Id1125dcd2978f790af4cf00125bcbb94741d0bf8
> Reviewed-on: https://chromium-review.googlesource.com/c/1480387
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59773}

Bug: chromium:932919
Change-Id: Ifb115ded2ff272abae4fba557ef669eee8e3c687
TBR: tebbi@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/c/1481746Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59781}
parent f1b21a10
......@@ -539,7 +539,7 @@ TNode<BoolT> BaseCollectionsAssembler::HasInitialCollectionPrototype(
TNode<Object> BaseCollectionsAssembler::LoadAndNormalizeFixedArrayElement(
TNode<FixedArray> elements, TNode<IntPtrT> index) {
TNode<Object> element = LoadFixedArrayElement(elements, index);
TNode<Object> element = UnsafeLoadFixedArrayElement(elements, index);
return Select<Object>(IsTheHole(element), [=] { return UndefinedConstant(); },
[=] { return element; });
}
......@@ -1003,7 +1003,7 @@ TNode<JSArray> CollectionsBuiltinsAssembler::MapIteratorToList(
CSA_ASSERT(this, InstanceTypeEqual(LoadInstanceType(iterator),
JS_MAP_VALUE_ITERATOR_TYPE));
TNode<Object> entry_value =
LoadFixedArrayElement(table, entry_start_position,
UnsafeLoadFixedArrayElement(table, entry_start_position,
(OrderedHashMap::HashTableStartIndex() +
OrderedHashMap::kValueOffset) *
kTaggedSize);
......@@ -1410,8 +1410,8 @@ CollectionsBuiltinsAssembler::NextSkipHoles(TNode<TableType> table,
entry_start_position = IntPtrAdd(
IntPtrMul(var_index.value(), IntPtrConstant(TableType::kEntrySize)),
number_of_buckets);
entry_key =
LoadFixedArrayElement(table, entry_start_position,
entry_key = UnsafeLoadFixedArrayElement(
table, entry_start_position,
TableType::HashTableStartIndex() * kTaggedSize);
Increment(&var_index);
Branch(IsTheHole(entry_key), &loop, &done_loop);
......@@ -1534,8 +1534,8 @@ TF_BUILTIN(MapPrototypeSet, CollectionsBuiltinsAssembler) {
TVARIABLE(OrderedHashMap, table_var, table);
{
// Check we have enough space for the entry.
number_of_buckets.Bind(SmiUntag(CAST(
LoadFixedArrayElement(table, OrderedHashMap::NumberOfBucketsIndex()))));
number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
table, OrderedHashMap::NumberOfBucketsIndex()))));
STATIC_ASSERT(OrderedHashMap::kLoadFactor == 2);
Node* const capacity = WordShl(number_of_buckets.value(), 1);
......@@ -1550,7 +1550,7 @@ TF_BUILTIN(MapPrototypeSet, CollectionsBuiltinsAssembler) {
// fields.
CallRuntime(Runtime::kMapGrow, context, receiver);
table_var = CAST(LoadObjectField(receiver, JSMap::kTableOffset));
number_of_buckets.Bind(SmiUntag(CAST(LoadFixedArrayElement(
number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
table_var.value(), OrderedHashMap::NumberOfBucketsIndex()))));
Node* const new_number_of_elements = SmiUntag(CAST(LoadObjectField(
table_var.value(), OrderedHashMap::NumberOfElementsOffset())));
......@@ -1572,24 +1572,28 @@ void CollectionsBuiltinsAssembler::StoreOrderedHashMapNewEntry(
Node* const hash, Node* const number_of_buckets, Node* const occupancy) {
Node* const bucket =
WordAnd(hash, IntPtrSub(number_of_buckets, IntPtrConstant(1)));
Node* const bucket_entry = LoadFixedArrayElement(
Node* const bucket_entry = UnsafeLoadFixedArrayElement(
table, bucket, OrderedHashMap::HashTableStartIndex() * kTaggedSize);
// Store the entry elements.
Node* const entry_start = IntPtrAdd(
IntPtrMul(occupancy, IntPtrConstant(OrderedHashMap::kEntrySize)),
number_of_buckets);
StoreFixedArrayElement(table, entry_start, key, UPDATE_WRITE_BARRIER,
UnsafeStoreFixedArrayElement(
table, entry_start, key, UPDATE_WRITE_BARRIER,
kTaggedSize * OrderedHashMap::HashTableStartIndex());
StoreFixedArrayElement(table, entry_start, value, UPDATE_WRITE_BARRIER,
UnsafeStoreFixedArrayElement(
table, entry_start, value, UPDATE_WRITE_BARRIER,
kTaggedSize * (OrderedHashMap::HashTableStartIndex() +
OrderedHashMap::kValueOffset));
StoreFixedArrayElement(table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
UnsafeStoreFixedArrayElement(
table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
kTaggedSize * (OrderedHashMap::HashTableStartIndex() +
OrderedHashMap::kChainOffset));
// Update the bucket head.
StoreFixedArrayElement(table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
UnsafeStoreFixedArrayElement(
table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
OrderedHashMap::HashTableStartIndex() * kTaggedSize);
// Bump the elements count.
......@@ -1704,8 +1708,8 @@ TF_BUILTIN(SetPrototypeAdd, CollectionsBuiltinsAssembler) {
TVARIABLE(OrderedHashSet, table_var, table);
{
// Check we have enough space for the entry.
number_of_buckets.Bind(SmiUntag(CAST(
LoadFixedArrayElement(table, OrderedHashSet::NumberOfBucketsIndex()))));
number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
table, OrderedHashSet::NumberOfBucketsIndex()))));
STATIC_ASSERT(OrderedHashSet::kLoadFactor == 2);
Node* const capacity = WordShl(number_of_buckets.value(), 1);
......@@ -1720,7 +1724,7 @@ TF_BUILTIN(SetPrototypeAdd, CollectionsBuiltinsAssembler) {
// fields.
CallRuntime(Runtime::kSetGrow, context, receiver);
table_var = CAST(LoadObjectField(receiver, JSMap::kTableOffset));
number_of_buckets.Bind(SmiUntag(CAST(LoadFixedArrayElement(
number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
table_var.value(), OrderedHashSet::NumberOfBucketsIndex()))));
Node* const new_number_of_elements = SmiUntag(CAST(LoadObjectField(
table_var.value(), OrderedHashSet::NumberOfElementsOffset())));
......@@ -1742,21 +1746,24 @@ void CollectionsBuiltinsAssembler::StoreOrderedHashSetNewEntry(
Node* const number_of_buckets, Node* const occupancy) {
Node* const bucket =
WordAnd(hash, IntPtrSub(number_of_buckets, IntPtrConstant(1)));
Node* const bucket_entry = LoadFixedArrayElement(
Node* const bucket_entry = UnsafeLoadFixedArrayElement(
table, bucket, OrderedHashSet::HashTableStartIndex() * kTaggedSize);
// Store the entry elements.
Node* const entry_start = IntPtrAdd(
IntPtrMul(occupancy, IntPtrConstant(OrderedHashSet::kEntrySize)),
number_of_buckets);
StoreFixedArrayElement(table, entry_start, key, UPDATE_WRITE_BARRIER,
UnsafeStoreFixedArrayElement(
table, entry_start, key, UPDATE_WRITE_BARRIER,
kTaggedSize * OrderedHashSet::HashTableStartIndex());
StoreFixedArrayElement(table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
UnsafeStoreFixedArrayElement(
table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
kTaggedSize * (OrderedHashSet::HashTableStartIndex() +
OrderedHashSet::kChainOffset));
// Update the bucket head.
StoreFixedArrayElement(table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
UnsafeStoreFixedArrayElement(
table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
OrderedHashSet::HashTableStartIndex() * kTaggedSize);
// Bump the elements count.
......@@ -2334,11 +2341,12 @@ void WeakCollectionsBuiltinsAssembler::AddEntry(
TNode<Object> key, TNode<Object> value, TNode<IntPtrT> number_of_elements) {
// See EphemeronHashTable::AddEntry().
TNode<IntPtrT> value_index = ValueIndexFromKeyIndex(key_index);
StoreFixedArrayElement(table, key_index, key);
StoreFixedArrayElement(table, value_index, value);
UnsafeStoreFixedArrayElement(table, key_index, key);
UnsafeStoreFixedArrayElement(table, value_index, value);
// See HashTableBase::ElementAdded().
StoreFixedArrayElement(table, EphemeronHashTable::kNumberOfElementsIndex,
UnsafeStoreFixedArrayElement(
table, EphemeronHashTable::kNumberOfElementsIndex,
SmiFromIntPtr(number_of_elements), SKIP_WRITE_BARRIER);
}
......@@ -2404,7 +2412,8 @@ TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::FindKeyIndex(
TNode<IntPtrT> key_index;
{
key_index = KeyIndexFromEntry(var_entry.value());
TNode<Object> entry_key = LoadFixedArrayElement(CAST(table), key_index);
TNode<Object> entry_key =
UnsafeLoadFixedArrayElement(CAST(table), key_index);
key_compare(entry_key, &if_found);
......@@ -2454,14 +2463,14 @@ TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::KeyIndexFromEntry(
TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::LoadNumberOfElements(
TNode<EphemeronHashTable> table, int offset) {
TNode<IntPtrT> number_of_elements = SmiUntag(CAST(LoadFixedArrayElement(
TNode<IntPtrT> number_of_elements = SmiUntag(CAST(UnsafeLoadFixedArrayElement(
table, EphemeronHashTable::kNumberOfElementsIndex)));
return IntPtrAdd(number_of_elements, IntPtrConstant(offset));
}
TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::LoadNumberOfDeleted(
TNode<EphemeronHashTable> table, int offset) {
TNode<IntPtrT> number_of_deleted = SmiUntag(CAST(LoadFixedArrayElement(
TNode<IntPtrT> number_of_deleted = SmiUntag(CAST(UnsafeLoadFixedArrayElement(
table, EphemeronHashTable::kNumberOfDeletedElementsIndex)));
return IntPtrAdd(number_of_deleted, IntPtrConstant(offset));
}
......@@ -2473,8 +2482,8 @@ TNode<EphemeronHashTable> WeakCollectionsBuiltinsAssembler::LoadTable(
TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::LoadTableCapacity(
TNode<EphemeronHashTable> table) {
return SmiUntag(
CAST(LoadFixedArrayElement(table, EphemeronHashTable::kCapacityIndex)));
return SmiUntag(CAST(
UnsafeLoadFixedArrayElement(table, EphemeronHashTable::kCapacityIndex)));
}
TNode<Word32T> WeakCollectionsBuiltinsAssembler::InsufficientCapacityToAdd(
......
......@@ -1925,9 +1925,9 @@ void RegExpBuiltinsAssembler::RegExpPrototypeMatchBody(Node* const context,
RegExpPrototypeExecBodyWithoutResult(CAST(context), CAST(regexp),
string, &if_didnotmatch, true);
Node* const match_from = LoadFixedArrayElement(
Node* const match_from = UnsafeLoadFixedArrayElement(
match_indices, RegExpMatchInfo::kFirstCaptureIndex);
Node* const match_to = LoadFixedArrayElement(
Node* const match_to = UnsafeLoadFixedArrayElement(
match_indices, RegExpMatchInfo::kFirstCaptureIndex + 1);
var_match.Bind(CallBuiltin(Builtins::kSubString, context, string,
......@@ -2403,7 +2403,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeSplitBody(Node* const context,
length, allocation_site, mode);
TNode<FixedArray> fixed_array = CAST(LoadElements(result));
StoreFixedArrayElement(fixed_array, 0, string);
UnsafeStoreFixedArrayElement(fixed_array, 0, string);
Return(result);
}
......@@ -2456,7 +2456,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeSplitBody(Node* const context,
}
TNode<FixedArray> match_indices = CAST(match_indices_ho);
TNode<Smi> const match_from = CAST(LoadFixedArrayElement(
TNode<Smi> const match_from = CAST(UnsafeLoadFixedArrayElement(
match_indices, RegExpMatchInfo::kFirstCaptureIndex));
// We're done if the match starts beyond the string.
......@@ -2466,7 +2466,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeSplitBody(Node* const context,
BIND(&next);
}
TNode<Smi> const match_to = CAST(LoadFixedArrayElement(
TNode<Smi> const match_to = CAST(UnsafeLoadFixedArrayElement(
match_indices, RegExpMatchInfo::kFirstCaptureIndex + 1));
// Advance index and continue if the match is empty.
......
......@@ -27,7 +27,7 @@ void GrowableFixedArray::Push(TNode<Object> const value) {
BIND(&store);
{
TNode<FixedArray> const array = var_array_.value();
StoreFixedArrayElement(array, length, value);
UnsafeStoreFixedArrayElement(array, length, value);
var_length_ = IntPtrAdd(length, IntPtrConstant(1));
}
......
......@@ -6742,7 +6742,7 @@ TNode<String> CodeStubAssembler::StringFromSingleCharCode(TNode<Int32T> code) {
// cache already.
Label if_entryisundefined(this, Label::kDeferred),
if_entryisnotundefined(this);
Node* entry = LoadFixedArrayElement(cache, code_index);
Node* entry = UnsafeLoadFixedArrayElement(cache, code_index);
Branch(IsUndefined(entry), &if_entryisundefined, &if_entryisnotundefined);
BIND(&if_entryisundefined);
......@@ -8414,7 +8414,8 @@ void CodeStubAssembler::NameDictionaryLookup(
TNode<IntPtrT> index = EntryToIndex<Dictionary>(entry);
*var_name_index = index;
TNode<HeapObject> current = CAST(LoadFixedArrayElement(dictionary, index));
TNode<HeapObject> current =
CAST(UnsafeLoadFixedArrayElement(dictionary, index));
GotoIf(WordEqual(current, undefined), if_not_found);
current = LoadName<Dictionary>(current);
GotoIf(WordEqual(current, unique_name), if_found);
......@@ -8525,7 +8526,7 @@ void CodeStubAssembler::NumberDictionaryLookup(
TNode<IntPtrT> entry = var_entry->value();
TNode<IntPtrT> index = EntryToIndex<NumberDictionary>(entry);
Node* current = LoadFixedArrayElement(dictionary, index);
Node* current = UnsafeLoadFixedArrayElement(dictionary, index);
GotoIf(WordEqual(current, undefined), if_not_found);
Label next_probe(this);
{
......@@ -9613,7 +9614,7 @@ void CodeStubAssembler::TryLookupElement(Node* object, Node* map,
GotoIfNot(UintPtrLessThan(intptr_index, length), &if_oob);
TNode<Object> element = LoadFixedArrayElement(elements, intptr_index);
TNode<Object> element = UnsafeLoadFixedArrayElement(elements, intptr_index);
TNode<Oddball> the_hole = TheHoleConstant();
Branch(WordEqual(element, the_hole), if_not_found, if_found);
}
......
......@@ -1027,11 +1027,20 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
CheckBounds::kDebugOnly);
}
TNode<Object> LoadFixedArrayElement(TNode<FixedArray> object,
TNode<Object> LoadFixedArrayElement(
TNode<FixedArray> object, TNode<IntPtrT> index,
LoadSensitivity needs_poisoning,
CheckBounds check_bounds = CheckBounds::kAlways) {
return LoadFixedArrayElement(object, index, 0, INTPTR_PARAMETERS,
needs_poisoning, check_bounds);
}
// This doesn't emit a bounds-check. As part of the security-performance
// tradeoff, only use it if it is performance critical.
TNode<Object> UnsafeLoadFixedArrayElement(TNode<FixedArray> object,
TNode<IntPtrT> index,
LoadSensitivity needs_poisoning) {
return LoadFixedArrayElement(object, index, 0, INTPTR_PARAMETERS,
needs_poisoning);
return LoadFixedArrayElement(object, index, needs_poisoning,
CheckBounds::kDebugOnly);
}
TNode<Object> LoadFixedArrayElement(
......@@ -2613,7 +2622,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
template <class Dictionary>
TNode<Smi> GetCapacity(TNode<Dictionary> dictionary) {
return CAST(LoadFixedArrayElement(dictionary, Dictionary::kCapacityIndex));
return CAST(
UnsafeLoadFixedArrayElement(dictionary, Dictionary::kCapacityIndex));
}
template <class Dictionary>
......
......@@ -1796,13 +1796,14 @@ void AccessorAssembler::EmitElementLoad(
BIND(&if_fast_packed);
{
Comment("fast packed elements");
exit_point->Return(LoadFixedArrayElement(CAST(elements), intptr_index));
exit_point->Return(
UnsafeLoadFixedArrayElement(CAST(elements), intptr_index));
}
BIND(&if_fast_holey);
{
Comment("fast holey elements");
Node* element = LoadFixedArrayElement(CAST(elements), intptr_index);
Node* element = UnsafeLoadFixedArrayElement(CAST(elements), intptr_index);
GotoIf(WordEqual(element, TheHoleConstant()), if_hole);
exit_point->Return(element);
}
......
......@@ -648,8 +648,8 @@ Node* InterpreterAssembler::BytecodeOperandIntrinsicId(int operand_index) {
Node* InterpreterAssembler::LoadConstantPoolEntry(Node* index) {
TNode<FixedArray> constant_pool = CAST(LoadObjectField(
BytecodeArrayTaggedPointer(), BytecodeArray::kConstantPoolOffset));
return LoadFixedArrayElement(constant_pool, UncheckedCast<IntPtrT>(index),
LoadSensitivity::kCritical);
return UnsafeLoadFixedArrayElement(
constant_pool, UncheckedCast<IntPtrT>(index), LoadSensitivity::kCritical);
}
Node* InterpreterAssembler::LoadAndUntagConstantPoolEntry(Node* index) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment