Fix "named" loads for large TypedArray indices

The named LoadIC code was missing a check for "names" that convert to TypedArray indices. This was flushed out by the recent bump of the max TypedArray size from 2^32-1 to 2^32. Named StoreICs had the same bug; fixed here as well. Bug: v8:4153 Fixed: chromium:1104608 Change-Id: I6bd2552d6ccc238104f92e7b95d19970d4a75dae Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2295606Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#68840}

Fix "named" loads for large TypedArray indices
The named LoadIC code was missing a check for "names" that convert to TypedArray indices. This was flushed out by the recent bump of the max TypedArray size from 2^32-1 to 2^32. Named StoreICs had the same bug; fixed here as well. Bug: v8:4153 Fixed: chromium:1104608 Change-Id: I6bd2552d6ccc238104f92e7b95d19970d4a75dae Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2295606Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#68840}
c90353e3 · Jakob Kummerow · Commit Bot · b863810b · c90353e3 · c90353e3
Commit c90353e3 authored Jul 14, 2020 by Jakob Kummerow Committed by Commit Bot Jul 14, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 1 deletion

ic.cc src/ic/ic.cc +9 -1

mjsunit.status test/mjsunit/mjsunit.status +1 -0

regress-crbug-1104608.js test/mjsunit/regress/regress-crbug-1104608.js +30 -0

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -949,7 +949,9 @@ Handle<Object> LoadIC::ComputeHandler(LookupIterator* lookup) {
        TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalDH);
        if (receiver_is_holder) return smi_handler;
        TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalFromPrototypeDH);
-
+      } else if (lookup->IsElement(*holder)) {
+        TRACE_HANDLER_STATS(isolate(), LoadIC_SlowStub);
+        return LoadHandler::LoadSlow(isolate());
      } else {
        DCHECK_EQ(kField, lookup->property_details().location());
        FieldIndex field = lookup->GetFieldIndex();
@@ -1771,6 +1773,12 @@ MaybeObjectHandle StoreIC::ComputeHandler(LookupIterator* lookup) {
        return MaybeObjectHandle(StoreHandler::StoreNormal(isolate()));
      }

+      // -------------- Elements (for TypedArrays) -------------
+      if (lookup->IsElement(*holder)) {
+        TRACE_HANDLER_STATS(isolate(), StoreIC_SlowStub);
+        return MaybeObjectHandle(StoreHandler::StoreSlow(isolate()));
+      }
+
      // -------------- Fields --------------
      if (lookup->property_details().location() == kField) {
        TRACE_HANDLER_STATS(isolate(), StoreIC_StoreFieldDH);

--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -1120,6 +1120,7 @@
 ['system != linux', {
  # Multi-mapped mock allocator is only available on Linux.
  'regress/regress-crbug-1041232': [SKIP],
+  'regress/regress-crbug-1104608': [SKIP],
 }],

 ##############################################################################

--- a/test/mjsunit/regress/regress-crbug-1104608.js
+++ b/test/mjsunit/regress/regress-crbug-1104608.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --multi-mapped-mock-allocator
+
+const kSize = 4294967296;
+// Skip this test on 32-bit platforms.
+if (%TypedArrayMaxLength() >= kSize) {
+  const array = new Uint8Array(kSize);
+
+  function f() {
+    let result = array["4294967295"];
+    assertEquals(0, result);
+  }
+
+  function g() {
+    array["4294967295"] = 1;
+  }
+
+  %PrepareFunctionForOptimization(f);
+  for (var i = 0; i < 3; i++) f();
+  %OptimizeFunctionOnNextCall(f);
+  f();
+
+  %PrepareFunctionForOptimization(g);
+  for (var i = 0; i < 3; i++) g();
+  %OptimizeFunctionOnNextCall(g);
+  g();
+}