1. 28 Jun, 2018 1 commit
    • Caitlin Potter's avatar
      [runtime] perform type conversion earlier in IntegerIndexedElementSet · 6c585ef0
      Caitlin Potter authored
      When storing an indexed property in a typed array, it's necessary to
      convert the value to a Number (or to a Bigint) before performing the
      bounds check, per
      https://tc39.github.io/ecma262/#sec-integerindexedelementset.
      
      This CL adds appropriate type conversions in
      Object::SetPropertyInternal (which technically is reached after the
      bounds check has already occurred, but this isn't observable yet ---
      In the future, once OOB accesses on TypedArrays actually throw, this
      will need to be refactored again), and in StoreFastElementStub, and
      ElementsTransitionAndStoreStub (via CSA::EmitElementStore).
      
      The change was not necessary in TurboFan, as
      JSNativeContextSpecialization already performs the value conversion
      before the boundscheck.
      
      The result is some fixed test262 tests, and some new test coverage
      for this behaviour in mjsunit.
      
      BUG=v8:7896, v8:5327
      R=neis@chromium.org, jkummerow@chromium.org, gsathya@chromium.org
      
      Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
      Change-Id: Ibe6bec24c72ef6a4fd3e77d5bcafa03737f4c5e3
      Reviewed-on: https://chromium-review.googlesource.com/1117372
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#54096}
      6c585ef0