Add array bound checks to code generated for SwapElements. This fixes a bug t...

src/ia32/full-codegen-ia32.cc

Index: src/ia32/full-codegen-ia32.cc
===================================================================
--- src/ia32/full-codegen-ia32.cc	(revision 6006)
+++ src/ia32/full-codegen-ia32.cc	(working copy)
@@ -3108,6 +3108,13 @@
   __ test(temp, Immediate(kSmiTagMask));
   __ j(not_zero, &slow_case);
 
+  // Check that both indices are valid.
+  __ mov(temp, FieldOperand(object, JSArray::kLengthOffset));
+  __ cmp(temp, Operand(index_1));
+  __ j(less_equal, &slow_case);
+  __ cmp(temp, Operand(index_2));
+  __ j(less_equal, &slow_case);

[Lasse Reichstein, 2010/12/15 08:34:55]

I just noticed that there is no test for negative indices, which ofcourse
shouldn't be able to happen ... but trust is overrated.

Use below_equal here to do unsigned comparison (and trust that an array length
can never be negative :).
(You could also change the test above to test against (kSmiTagMask | <signbit
constant>), but that would probably use more bytes whereas changing the
condition is free).

Goes for all platforms.

[Karl Klose, 2010/12/15 09:11:45]

Done.

+
   // Bring addresses into index1 and index2.
   __ lea(index_1, CodeGenerator::FixedArrayElementOperand(elements, index_1));
   __ lea(index_2, CodeGenerator::FixedArrayElementOperand(elements, index_2));