Commit c65f0a78 authored by Benedikt Meurer's avatar Benedikt Meurer Committed by Commit Bot

[turbofan] NumberToString can return non-sequential strings.

TurboFan assumed that the output of NumberToString is always a
sequential string, since that's what we put into the number to
string table. However we might eventually morph these strings
into ThinStrings when we need to internalize them, in which case
the type in TurboFan will be wrong, and we read out of bounds.

Also-By: tebbi@chromium.org
Bug: chromium:822284
Change-Id: I5aebe73028b95849fff72bba262c517677112353
Reviewed-on: https://chromium-review.googlesource.com/964523
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51970}
parent 3813cbf2
...@@ -510,7 +510,7 @@ Type* OperationTyper::NumberToString(Type* type) { ...@@ -510,7 +510,7 @@ Type* OperationTyper::NumberToString(Type* type) {
if (type->IsNone()) return type; if (type->IsNone()) return type;
if (type->Is(Type::NaN())) return singleton_NaN_string_; if (type->Is(Type::NaN())) return singleton_NaN_string_;
if (type->Is(cache_.kZeroOrMinusZero)) return singleton_zero_string_; if (type->Is(cache_.kZeroOrMinusZero)) return singleton_zero_string_;
return Type::SeqString(); return Type::String();
} }
Type* OperationTyper::NumberToUint32(Type* type) { Type* OperationTyper::NumberToUint32(Type* type) {
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(a) {
a = "" + Math.abs(a);
return a.charCodeAt(0);
}
// Add '1' to the number to string table (as SeqString).
String.fromCharCode(49);
// Turn the SeqString into a ThinString via forced internalization.
const o = {};
o[(1).toString()] = 1;
assertEquals(49, foo(1));
assertEquals(49, foo(1));
%OptimizeFunctionOnNextCall(foo);
assertEquals(49, foo(1));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment