Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(145)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/compiler/js-builtin-reducer.cc

Issue 1196623002: [ubsan] Fix HeapObjectMatcher to avoid invalid casts. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: REBASE Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« src/compiler/control-reducer.cc ('K') | « src/compiler/control-reducer.cc ('k') | src/compiler/js-context-specialization.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 the V8 project authors. All rights reserved. 1 // Copyright 2014 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/compiler/diamond.h" 5 #include "src/compiler/diamond.h"
6 #include "src/compiler/js-builtin-reducer.h" 6 #include "src/compiler/js-builtin-reducer.h"
7 #include "src/compiler/js-graph.h" 7 #include "src/compiler/js-graph.h"
8 #include "src/compiler/node-matchers.h" 8 #include "src/compiler/node-matchers.h"
9 #include "src/compiler/node-properties.h" 9 #include "src/compiler/node-properties.h"
10 #include "src/types.h" 10 #include "src/types.h"
11 11
12 namespace v8 { 12 namespace v8 {
13 namespace internal { 13 namespace internal {
14 namespace compiler { 14 namespace compiler {
15 15
16 16
17 // Helper class to access JSCallFunction nodes that are potential candidates 17 // Helper class to access JSCallFunction nodes that are potential candidates
18 // for reduction when they have a BuiltinFunctionId associated with them. 18 // for reduction when they have a BuiltinFunctionId associated with them.
19 class JSCallReduction { 19 class JSCallReduction {
20 public: 20 public:
21 explicit JSCallReduction(Node* node) : node_(node) {} 21 explicit JSCallReduction(Node* node) : node_(node) {}
22 22
23 // Determines whether the node is a JSCallFunction operation that targets a 23 // Determines whether the node is a JSCallFunction operation that targets a
24 // constant callee being a well-known builtin with a BuiltinFunctionId. 24 // constant callee being a well-known builtin with a BuiltinFunctionId.
25 bool HasBuiltinFunctionId() { 25 bool HasBuiltinFunctionId() {
26 if (node_->opcode() != IrOpcode::kJSCallFunction) return false; 26 if (node_->opcode() != IrOpcode::kJSCallFunction) return false;
27 HeapObjectMatcher<Object> m(NodeProperties::GetValueInput(node_, 0)); 27 HeapObjectMatcher m(NodeProperties::GetValueInput(node_, 0));
28 if (!m.HasValue() || !m.Value().handle()->IsJSFunction()) return false; 28 if (!m.HasValue() || !m.Value().handle()->IsJSFunction()) return false;
29 Handle<JSFunction> function = Handle<JSFunction>::cast(m.Value().handle()); 29 Handle<JSFunction> function = Handle<JSFunction>::cast(m.Value().handle());
30 return function->shared()->HasBuiltinFunctionId(); 30 return function->shared()->HasBuiltinFunctionId();
31 } 31 }
32 32
33 // Retrieves the BuiltinFunctionId as described above. 33 // Retrieves the BuiltinFunctionId as described above.
34 BuiltinFunctionId GetBuiltinFunctionId() { 34 BuiltinFunctionId GetBuiltinFunctionId() {
35 DCHECK_EQ(IrOpcode::kJSCallFunction, node_->opcode()); 35 DCHECK_EQ(IrOpcode::kJSCallFunction, node_->opcode());
36 HeapObjectMatcher<Object> m(NodeProperties::GetValueInput(node_, 0)); 36 HeapObjectMatcher m(NodeProperties::GetValueInput(node_, 0));
37 Handle<JSFunction> function = Handle<JSFunction>::cast(m.Value().handle()); 37 Handle<JSFunction> function = Handle<JSFunction>::cast(m.Value().handle());
38 return function->shared()->builtin_function_id(); 38 return function->shared()->builtin_function_id();
39 } 39 }
40 40
41 // Determines whether the call takes zero inputs. 41 // Determines whether the call takes zero inputs.
42 bool InputsMatchZero() { return GetJSCallArity() == 0; } 42 bool InputsMatchZero() { return GetJSCallArity() == 0; }
43 43
44 // Determines whether the call takes one input of the given type. 44 // Determines whether the call takes one input of the given type.
45 bool InputsMatchOne(Type* t1) { 45 bool InputsMatchOne(Type* t1) {
46 return GetJSCallArity() == 1 && 46 return GetJSCallArity() == 1 &&
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after
179 } 179 }
180 180
181 181
182 MachineOperatorBuilder* JSBuiltinReducer::machine() const { 182 MachineOperatorBuilder* JSBuiltinReducer::machine() const {
183 return jsgraph()->machine(); 183 return jsgraph()->machine();
184 } 184 }
185 185
186 } // namespace compiler 186 } // namespace compiler
187 } // namespace internal 187 } // namespace internal
188 } // namespace v8 188 } // namespace v8
OLDNEW
« src/compiler/control-reducer.cc ('K') | « src/compiler/control-reducer.cc ('k') | src/compiler/js-context-specialization.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698