Commit d11da589 authored by Peter Marshall's avatar Peter Marshall Committed by Commit Bot

[builtins] Allow TypedArray constructor to accept big negative numbers.

Previously we enforced that all lengths for ArrayLike objects must
be within Smi range, but all negative numbers should actually be first
converted to +0.

Bug: chromium:740372
Change-Id: If50de9ce0eeb7cb09e14b8e8803f434350d00508
Reviewed-on: https://chromium-review.googlesource.com/566867Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46615}
parent de3a85d1
...@@ -4826,9 +4826,11 @@ Node* CodeStubAssembler::ToSmiLength(Node* input, Node* const context, ...@@ -4826,9 +4826,11 @@ Node* CodeStubAssembler::ToSmiLength(Node* input, Node* const context,
BIND(&to_integer); BIND(&to_integer);
result.Bind(ToInteger(context, result.value(), result.Bind(ToInteger(context, result.value(),
CodeStubAssembler::kTruncateMinusZero)); CodeStubAssembler::kTruncateMinusZero));
GotoIfNot(TaggedIsSmi(result.value()), range_error); GotoIf(TaggedIsSmi(result.value()), &negative_check);
CSA_ASSERT(this, TaggedIsSmi(result.value())); // result.value() can still be a negative HeapNumber here.
Goto(&negative_check); Branch(IsTrue(CallBuiltin(Builtins::kLessThan, context, result.value(),
SmiConstant(0))),
&return_zero, range_error);
BIND(&negative_check); BIND(&negative_check);
Branch(SmiLessThan(result.value(), SmiConstant(0)), &return_zero, &done); Branch(SmiLessThan(result.value(), SmiConstant(0)), &return_zero, &done);
......
...@@ -196,6 +196,12 @@ tests.push(function TestOffsetIsUsed(constr) { ...@@ -196,6 +196,12 @@ tests.push(function TestOffsetIsUsed(constr) {
TestOffsetIsUsedRunner(constr, 128); TestOffsetIsUsedRunner(constr, 128);
}); });
tests.push(function TestLengthIsNonSmiNegativeNumber(constr) {
var ta = new constr({length: -%_MaxSmi() - 2});
assertEquals(0, ta.length);
});
// Helpers for above tests. // Helpers for above tests.
function TestOffsetIsUsedRunner(constr, n) { function TestOffsetIsUsedRunner(constr, n) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment