[turbofan] Generate the correct bounds when the array protector isn't valid.

The condition for bounds check generation was not in sync with the condition that was used for the actual access, which lead to invalid memory accesses when the array protector was invalid. Tbr: tebbi@chromium.org Bug: chromium:781506, chromium:781494, chromium:781457, chromium:781285, chromium:781381, chromium:781380, v8:6936, v8:7014, v8:7027 Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b Reviewed-on: https://chromium-review.googlesource.com/753590Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49124}

[turbofan] Generate the correct bounds when the array protector isn't valid.
The condition for bounds check generation was not in sync with the condition that was used for the actual access, which lead to invalid memory accesses when the array protector was invalid. Tbr: tebbi@chromium.org Bug: chromium:781506, chromium:781494, chromium:781457, chromium:781285, chromium:781381, chromium:781380, v8:6936, v8:7014, v8:7027 Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b Reviewed-on: https://chromium-review.googlesource.com/753590Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49124}
fd150c79 · Benedikt Meurer · Commit Bot · 1a1968fe · fd150c79 · fd150c79
Commit fd150c79 authored Nov 04, 2017 by Benedikt Meurer Committed by Commit Bot Nov 04, 2017
4 changed files
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -2295,7 +2295,8 @@ JSNativeContextSpecialization::BuildElementAccess(
    if (IsGrowStoreMode(store_mode)) {
      // For growing stores we validate the {index} below.
      DCHECK_EQ(AccessMode::kStore, access_mode);
-    } else if (load_mode == LOAD_IGNORE_OUT_OF_BOUNDS) {
+    } else if (load_mode == LOAD_IGNORE_OUT_OF_BOUNDS &&
+               CanTreatHoleAsUndefined(receiver_maps)) {
      // Check that the {index} is a valid array index, we do the actual
      // bounds check below and just skip the store below if it's out of
      // bounds for the {receiver}.

--- a/test/mjsunit/regress/regress-crbug-781506-1.js
+++ b/test/mjsunit/regress/regress-crbug-781506-1.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a) { return a[0]; }
+
+assertEquals(undefined, foo(x => x));
+assertEquals(undefined, foo({}));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo(x => x));
--- a/test/mjsunit/regress/regress-crbug-781506-2.js
+++ b/test/mjsunit/regress/regress-crbug-781506-2.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(o) { return o[0]; }
+
+assertEquals(undefined, foo({}));
+Array.prototype[0] = 0;
+assertEquals(undefined, foo({}));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo({}));
--- a/test/mjsunit/regress/regress-crbug-781506-3.js
+++ b/test/mjsunit/regress/regress-crbug-781506-3.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a, i) { return a[i] + 0.5; }
+
+foo({}, 1);
+Array.prototype.unshift(1.5);
+assertTrue(Number.isNaN(foo({}, 1)));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(Number.isNaN(foo({}, 1)));