Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(509)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/compiler/js-intrinsic-lowering.cc

Issue 1196623002: [ubsan] Fix HeapObjectMatcher to avoid invalid casts. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: REBASE Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« src/compiler/control-reducer.cc ('K') | « src/compiler/js-inlining.cc ('k') | src/compiler/js-typed-lowering.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 the V8 project authors. All rights reserved. 1 // Copyright 2015 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/compiler/js-intrinsic-lowering.h" 5 #include "src/compiler/js-intrinsic-lowering.h"
6 6
7 #include <stack> 7 #include <stack>
8 8
9 #include "src/compiler/access-builder.h" 9 #include "src/compiler/access-builder.h"
10 #include "src/compiler/js-graph.h" 10 #include "src/compiler/js-graph.h"
(...skipping 161 matching lines...) Expand 10 before | Expand all | Expand 10 after
172 Node* value = NodeProperties::GetValueInput(node, 0); 172 Node* value = NodeProperties::GetValueInput(node, 0);
173 Node* effect = NodeProperties::GetEffectInput(node); 173 Node* effect = NodeProperties::GetEffectInput(node);
174 Node* control = NodeProperties::GetControlInput(node); 174 Node* control = NodeProperties::GetControlInput(node);
175 return Change(node, simplified()->LoadField(AccessBuilder::ForMap()), value, 175 return Change(node, simplified()->LoadField(AccessBuilder::ForMap()), value,
176 effect, control); 176 effect, control);
177 } 177 }
178 178
179 179
180 Reduction JSIntrinsicLowering::ReduceIncrementStatsCounter(Node* node) { 180 Reduction JSIntrinsicLowering::ReduceIncrementStatsCounter(Node* node) {
181 if (!FLAG_native_code_counters) return ChangeToUndefined(node); 181 if (!FLAG_native_code_counters) return ChangeToUndefined(node);
182 HeapObjectMatcher<String> m(NodeProperties::GetValueInput(node, 0)); 182 HeapObjectMatcher m(NodeProperties::GetValueInput(node, 0));
183 if (!m.HasValue() || !m.Value().handle()->IsString()) { 183 if (!m.HasValue() || !m.Value().handle()->IsString()) {
184 return ChangeToUndefined(node); 184 return ChangeToUndefined(node);
185 } 185 }
186 SmartArrayPointer<char> name = m.Value().handle()->ToCString(); 186 SmartArrayPointer<char> name =
187 Handle<String>::cast(m.Value().handle())->ToCString();
187 StatsCounter counter(jsgraph()->isolate(), name.get()); 188 StatsCounter counter(jsgraph()->isolate(), name.get());
188 if (!counter.Enabled()) return ChangeToUndefined(node); 189 if (!counter.Enabled()) return ChangeToUndefined(node);
189 190
190 Node* effect = NodeProperties::GetEffectInput(node); 191 Node* effect = NodeProperties::GetEffectInput(node);
191 Node* control = NodeProperties::GetControlInput(node); 192 Node* control = NodeProperties::GetControlInput(node);
192 FieldAccess access = AccessBuilder::ForStatsCounter(); 193 FieldAccess access = AccessBuilder::ForStatsCounter();
193 Node* cnt = jsgraph()->ExternalConstant(ExternalReference(&counter)); 194 Node* cnt = jsgraph()->ExternalConstant(ExternalReference(&counter));
194 Node* load = 195 Node* load =
195 graph()->NewNode(simplified()->LoadField(access), cnt, effect, control); 196 graph()->NewNode(simplified()->LoadField(access), cnt, effect, control);
196 Node* inc = 197 Node* inc =
(...skipping 344 matching lines...) Expand 10 before | Expand all | Expand 10 after
541 } 542 }
542 543
543 544
544 MachineOperatorBuilder* JSIntrinsicLowering::machine() const { 545 MachineOperatorBuilder* JSIntrinsicLowering::machine() const {
545 return jsgraph()->machine(); 546 return jsgraph()->machine();
546 } 547 }
547 548
548 } // namespace compiler 549 } // namespace compiler
549 } // namespace internal 550 } // namespace internal
550 } // namespace v8 551 } // namespace v8
OLDNEW
« src/compiler/control-reducer.cc ('K') | « src/compiler/js-inlining.cc ('k') | src/compiler/js-typed-lowering.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698