Skip to content

V
V8
Commit e69460e6 authored by Z Duong Nguyen-Huu's avatar Z Duong Nguyen-Huu Committed by Commit Bot
Browse files
Options

Sealed array should handle store out of bounds in optimized code 

Bug: chromium:959747
Change-Id: I2518a35508b97ae1c2df7f30c1c2b9755ba6f495
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1597116Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#61348}
parent e4c5cab5
Hide whitespace changes
Inline Side-by-side
Showing with 21 additions and 1 deletion
src/code-stub-assembler.cc
View file @ e69460e6
......@@ -10526,7 +10526,8 @@ void CodeStubAssembler::EmitElementStore(Node* object, Node* key, Node* value,
CSA_ASSERT(this, Word32BinaryNot(IsJSProxy(object)));
Node* elements = LoadElements(object);
if (!IsSmiOrObjectElementsKind(elements_kind)) {
if (!(IsSmiOrObjectElementsKind(elements_kind) ||
IsSealedElementsKind(elements_kind))) {
CSA_ASSERT(this, Word32BinaryNot(IsFixedCOWArrayMap(LoadMap(elements))));
} else if (!IsCOWHandlingStoreMode(store_mode)) {
GotoIf(IsFixedCOWArrayMap(LoadMap(elements)), bailout);
......
test/mjsunit/compiler/regress-sealedarray-store-outofbounds.js 0 → 100644
View file @ e69460e6
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
const v3 = [0,"symbol"];
const v5 = 0 - 1;
const v6 = Object.seal(v3);
let v9 = 0;
function f1() {
v6[119090556] = v5;
}
%PrepareFunctionForOptimization(f1);
f1();
%OptimizeFunctionOnNextCall(f1);
f1();
assertOptimized(f1);
assertEquals(v6.length, 2);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment