Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(290)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 5686006: Add array bound checks to code generated for SwapElements. This fixes a bug t... (Closed)

Created:
10 years ago by Karl Klose
Modified:
9 years, 7 months ago
Reviewers:
Lasse Reichstein
CC:
v8-dev
Visibility:
Public.

Description

Add array bound checks to code generated for SwapElements. This fixes a bug that lead to a segfault when an array was modified while it was sorted. Committed: http://code.google.com/p/v8/source/detail?r=6020

Patch Set 1 #

Patch Set 2 : '' #

Total comments: 4

Patch Set 3 : '' #

Patch Set 4 : '' #

Unified diffs Side-by-side diffs Delta from patch set Stats (+82 lines, -0 lines) Patch
M src/arm/codegen-arm.cc View 1 2 1 chunk +6 lines, -0 lines 0 comments Download
M src/ia32/codegen-ia32.cc View 1 2 1 chunk +7 lines, -0 lines 0 comments Download
M src/ia32/full-codegen-ia32.cc View 1 2 1 chunk +7 lines, -0 lines 0 comments Download
M src/x64/codegen-x64.cc View 1 2 1 chunk +7 lines, -0 lines 0 comments Download
A test/mjsunit/regress/regress-swapelements.js View 1 chunk +55 lines, -0 lines 0 comments Download

Messages

Total messages: 3 (0 generated)
Karl Klose
10 years ago (2010-12-14 14:51:48 UTC) #1
Lasse Reichstein
LGTM with comments. http://codereview.chromium.org/5686006/diff/6001/src/arm/codegen-arm.cc File src/arm/codegen-arm.cc (right): http://codereview.chromium.org/5686006/diff/6001/src/arm/codegen-arm.cc#newcode5599 src/arm/codegen-arm.cc:5599: __ cmp(tmp2, index2); You might consider ...
10 years ago (2010-12-15 08:34:55 UTC) #2
Karl Klose
10 years ago (2010-12-15 09:11:45 UTC) #3 
http://codereview.chromium.org/5686006/diff/6001/src/arm/codegen-arm.cc
File src/arm/codegen-arm.cc (right):

http://codereview.chromium.org/5686006/diff/6001/src/arm/codegen-arm.cc#newco...
src/arm/codegen-arm.cc:5599: __ cmp(tmp2, index2);
On 2010/12/15 08:34:55, Lasse Reichstein wrote:
> You might consider making the second compare conditional and only having one
> branch. I.e.:
>  __ cmp(tmp2, index1);
>  __ cmp(tmp2, index2, gt);
>  deferred->Branch(le);
> I doubt it's faster, but it's a little smaller.

Done.

http://codereview.chromium.org/5686006/diff/6001/src/ia32/full-codegen-ia32.cc
File src/ia32/full-codegen-ia32.cc (right):

http://codereview.chromium.org/5686006/diff/6001/src/ia32/full-codegen-ia32.c...
src/ia32/full-codegen-ia32.cc:3116: __ j(less_equal, &slow_case);
On 2010/12/15 08:34:55, Lasse Reichstein wrote:
> I just noticed that there is no test for negative indices, which ofcourse
> shouldn't be able to happen ... but trust is overrated.
> 
> Use below_equal here to do unsigned comparison (and trust that an array length
> can never be negative :).
> (You could also change the test above to test against (kSmiTagMask | <signbit
> constant>), but that would probably use more bytes whereas changing the
> condition is free).
> 
> Goes for all platforms.

Done.

Powered by Google App Engine
This is Rietveld 408576698