| OLD | NEW |
|---|
| 1 // Copyright 2014 the V8 project authors. All rights reserved. | 1 // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/code-factory.h" | 5 #include "src/code-factory.h" |
| 6 #include "src/compiler/access-builder.h" | 6 #include "src/compiler/access-builder.h" |
| 7 #include "src/compiler/js-graph.h" | 7 #include "src/compiler/js-graph.h" |
| 8 #include "src/compiler/js-typed-lowering.h" | 8 #include "src/compiler/js-typed-lowering.h" |
| 9 #include "src/compiler/linkage.h" | 9 #include "src/compiler/linkage.h" |
| 10 #include "src/compiler/node-matchers.h" | 10 #include "src/compiler/node-matchers.h" |
| (...skipping 806 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 817 } | 817 } |
| 818 } | 818 } |
| 819 return NoChange(); | 819 return NoChange(); |
| 820 } | 820 } |
| 821 | 821 |
| 822 | 822 |
| 823 Reduction JSTypedLowering::ReduceJSLoadProperty(Node* node) { | 823 Reduction JSTypedLowering::ReduceJSLoadProperty(Node* node) { |
| 824 Node* key = NodeProperties::GetValueInput(node, 1); | 824 Node* key = NodeProperties::GetValueInput(node, 1); |
| 825 Node* base = NodeProperties::GetValueInput(node, 0); | 825 Node* base = NodeProperties::GetValueInput(node, 0); |
| 826 Type* key_type = NodeProperties::GetBounds(key).upper; | 826 Type* key_type = NodeProperties::GetBounds(key).upper; |
| 827 HeapObjectMatcher<Object> mbase(base); | 827 HeapObjectMatcher mbase(base); |
| 828 if (mbase.HasValue() && mbase.Value().handle()->IsJSTypedArray()) { | 828 if (mbase.HasValue() && mbase.Value().handle()->IsJSTypedArray()) { |
| 829 Handle<JSTypedArray> const array = | 829 Handle<JSTypedArray> const array = |
| 830 Handle<JSTypedArray>::cast(mbase.Value().handle()); | 830 Handle<JSTypedArray>::cast(mbase.Value().handle()); |
| 831 if (!array->GetBuffer()->was_neutered()) { | 831 if (!array->GetBuffer()->was_neutered()) { |
| 832 array->GetBuffer()->set_is_neuterable(false); | 832 array->GetBuffer()->set_is_neuterable(false); |
| 833 BufferAccess const access(array->type()); | 833 BufferAccess const access(array->type()); |
| 834 size_t const k = ElementSizeLog2Of(access.machine_type()); | 834 size_t const k = ElementSizeLog2Of(access.machine_type()); |
| 835 double const byte_length = array->byte_length()->Number(); | 835 double const byte_length = array->byte_length()->Number(); |
| 836 CHECK_LT(k, arraysize(shifted_int32_ranges_)); | 836 CHECK_LT(k, arraysize(shifted_int32_ranges_)); |
| 837 if (IsExternalArrayElementsKind(array->map()->elements_kind()) && | 837 if (IsExternalArrayElementsKind(array->map()->elements_kind()) && |
| (...skipping 26 matching lines...) Expand all Loading... |
| 864 return NoChange(); | 864 return NoChange(); |
| 865 } | 865 } |
| 866 | 866 |
| 867 | 867 |
| 868 Reduction JSTypedLowering::ReduceJSStoreProperty(Node* node) { | 868 Reduction JSTypedLowering::ReduceJSStoreProperty(Node* node) { |
| 869 Node* key = NodeProperties::GetValueInput(node, 1); | 869 Node* key = NodeProperties::GetValueInput(node, 1); |
| 870 Node* base = NodeProperties::GetValueInput(node, 0); | 870 Node* base = NodeProperties::GetValueInput(node, 0); |
| 871 Node* value = NodeProperties::GetValueInput(node, 2); | 871 Node* value = NodeProperties::GetValueInput(node, 2); |
| 872 Type* key_type = NodeProperties::GetBounds(key).upper; | 872 Type* key_type = NodeProperties::GetBounds(key).upper; |
| 873 Type* value_type = NodeProperties::GetBounds(value).upper; | 873 Type* value_type = NodeProperties::GetBounds(value).upper; |
| 874 HeapObjectMatcher<Object> mbase(base); | 874 HeapObjectMatcher mbase(base); |
| 875 if (mbase.HasValue() && mbase.Value().handle()->IsJSTypedArray()) { | 875 if (mbase.HasValue() && mbase.Value().handle()->IsJSTypedArray()) { |
| 876 Handle<JSTypedArray> const array = | 876 Handle<JSTypedArray> const array = |
| 877 Handle<JSTypedArray>::cast(mbase.Value().handle()); | 877 Handle<JSTypedArray>::cast(mbase.Value().handle()); |
| 878 if (!array->GetBuffer()->was_neutered()) { | 878 if (!array->GetBuffer()->was_neutered()) { |
| 879 array->GetBuffer()->set_is_neuterable(false); | 879 array->GetBuffer()->set_is_neuterable(false); |
| 880 BufferAccess const access(array->type()); | 880 BufferAccess const access(array->type()); |
| 881 size_t const k = ElementSizeLog2Of(access.machine_type()); | 881 size_t const k = ElementSizeLog2Of(access.machine_type()); |
| 882 double const byte_length = array->byte_length()->Number(); | 882 double const byte_length = array->byte_length()->Number(); |
| 883 CHECK_LT(k, arraysize(shifted_int32_ranges_)); | 883 CHECK_LT(k, arraysize(shifted_int32_ranges_)); |
| 884 if (IsExternalArrayElementsKind(array->map()->elements_kind()) && | 884 if (IsExternalArrayElementsKind(array->map()->elements_kind()) && |
| (...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1125 node->set_op(new_op); | 1125 node->set_op(new_op); |
| 1126 return Changed(node); | 1126 return Changed(node); |
| 1127 } | 1127 } |
| 1128 | 1128 |
| 1129 return NoChange(); | 1129 return NoChange(); |
| 1130 } | 1130 } |
| 1131 | 1131 |
| 1132 | 1132 |
| 1133 Reduction JSTypedLowering::ReduceJSCreateLiteralArray(Node* node) { | 1133 Reduction JSTypedLowering::ReduceJSCreateLiteralArray(Node* node) { |
| 1134 DCHECK_EQ(IrOpcode::kJSCreateLiteralArray, node->opcode()); | 1134 DCHECK_EQ(IrOpcode::kJSCreateLiteralArray, node->opcode()); |
| 1135 HeapObjectMatcher<FixedArray> mconst(NodeProperties::GetValueInput(node, 2)); | 1135 HeapObjectMatcher mconst(NodeProperties::GetValueInput(node, 2)); |
| 1136 int length = mconst.Value().handle()->length(); | 1136 int length = Handle<FixedArray>::cast(mconst.Value().handle())->length(); |
| 1137 int flags = OpParameter<int>(node->op()); | 1137 int flags = OpParameter<int>(node->op()); |
| 1138 | 1138 |
| 1139 // Use the FastCloneShallowArrayStub only for shallow boilerplates up to the | 1139 // Use the FastCloneShallowArrayStub only for shallow boilerplates up to the |
| 1140 // initial length limit for arrays with "fast" elements kind. | 1140 // initial length limit for arrays with "fast" elements kind. |
| 1141 // TODO(rossberg): Teach strong mode to FastCloneShallowArrayStub. | 1141 // TODO(rossberg): Teach strong mode to FastCloneShallowArrayStub. |
| 1142 if ((flags & ArrayLiteral::kShallowElements) != 0 && | 1142 if ((flags & ArrayLiteral::kShallowElements) != 0 && |
| 1143 (flags & ArrayLiteral::kIsStrong) == 0 && | 1143 (flags & ArrayLiteral::kIsStrong) == 0 && |
| 1144 length < JSObject::kInitialMaxFastElementArray) { | 1144 length < JSObject::kInitialMaxFastElementArray) { |
| 1145 Isolate* isolate = jsgraph()->isolate(); | 1145 Isolate* isolate = jsgraph()->isolate(); |
| 1146 Callable callable = CodeFactory::FastCloneShallowArray(isolate); | 1146 Callable callable = CodeFactory::FastCloneShallowArray(isolate); |
| 1147 CallDescriptor* desc = Linkage::GetStubCallDescriptor( | 1147 CallDescriptor* desc = Linkage::GetStubCallDescriptor( |
| 1148 isolate, graph()->zone(), callable.descriptor(), 0, | 1148 isolate, graph()->zone(), callable.descriptor(), 0, |
| 1149 (OperatorProperties::GetFrameStateInputCount(node->op()) != 0) | 1149 (OperatorProperties::GetFrameStateInputCount(node->op()) != 0) |
| 1150 ? CallDescriptor::kNeedsFrameState | 1150 ? CallDescriptor::kNeedsFrameState |
| 1151 : CallDescriptor::kNoFlags); | 1151 : CallDescriptor::kNoFlags); |
| 1152 const Operator* new_op = common()->Call(desc); | 1152 const Operator* new_op = common()->Call(desc); |
| 1153 Node* stub_code = jsgraph()->HeapConstant(callable.code()); | 1153 Node* stub_code = jsgraph()->HeapConstant(callable.code()); |
| 1154 node->InsertInput(graph()->zone(), 0, stub_code); | 1154 node->InsertInput(graph()->zone(), 0, stub_code); |
| 1155 node->set_op(new_op); | 1155 node->set_op(new_op); |
| 1156 return Changed(node); | 1156 return Changed(node); |
| 1157 } | 1157 } |
| 1158 | 1158 |
| 1159 return NoChange(); | 1159 return NoChange(); |
| 1160 } | 1160 } |
| 1161 | 1161 |
| 1162 | 1162 |
| 1163 Reduction JSTypedLowering::ReduceJSCreateLiteralObject(Node* node) { | 1163 Reduction JSTypedLowering::ReduceJSCreateLiteralObject(Node* node) { |
| 1164 DCHECK_EQ(IrOpcode::kJSCreateLiteralObject, node->opcode()); | 1164 DCHECK_EQ(IrOpcode::kJSCreateLiteralObject, node->opcode()); |
| 1165 HeapObjectMatcher<FixedArray> mconst(NodeProperties::GetValueInput(node, 2)); | 1165 HeapObjectMatcher mconst(NodeProperties::GetValueInput(node, 2)); |
| 1166 // Constants are pairs, see ObjectLiteral::properties_count(). | 1166 // Constants are pairs, see ObjectLiteral::properties_count(). |
| 1167 int length = mconst.Value().handle()->length() / 2; | 1167 int length = Handle<FixedArray>::cast(mconst.Value().handle())->length() / 2; |
| 1168 int flags = OpParameter<int>(node->op()); | 1168 int flags = OpParameter<int>(node->op()); |
| 1169 | 1169 |
| 1170 // Use the FastCloneShallowObjectStub only for shallow boilerplates without | 1170 // Use the FastCloneShallowObjectStub only for shallow boilerplates without |
| 1171 // elements up to the number of properties that the stubs can handle. | 1171 // elements up to the number of properties that the stubs can handle. |
| 1172 if ((flags & ObjectLiteral::kShallowProperties) != 0 && | 1172 if ((flags & ObjectLiteral::kShallowProperties) != 0 && |
| 1173 length <= FastCloneShallowObjectStub::kMaximumClonedProperties) { | 1173 length <= FastCloneShallowObjectStub::kMaximumClonedProperties) { |
| 1174 Isolate* isolate = jsgraph()->isolate(); | 1174 Isolate* isolate = jsgraph()->isolate(); |
| 1175 Callable callable = CodeFactory::FastCloneShallowObject(isolate, length); | 1175 Callable callable = CodeFactory::FastCloneShallowObject(isolate, length); |
| 1176 CallDescriptor* desc = Linkage::GetStubCallDescriptor( | 1176 CallDescriptor* desc = Linkage::GetStubCallDescriptor( |
| 1177 isolate, graph()->zone(), callable.descriptor(), 0, | 1177 isolate, graph()->zone(), callable.descriptor(), 0, |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1220 node->TrimInputCount(2); | 1220 node->TrimInputCount(2); |
| 1221 return Changed(node); | 1221 return Changed(node); |
| 1222 } | 1222 } |
| 1223 return NoChange(); | 1223 return NoChange(); |
| 1224 } | 1224 } |
| 1225 | 1225 |
| 1226 | 1226 |
| 1227 Reduction JSTypedLowering::ReduceJSCreateBlockContext(Node* node) { | 1227 Reduction JSTypedLowering::ReduceJSCreateBlockContext(Node* node) { |
| 1228 DCHECK_EQ(IrOpcode::kJSCreateBlockContext, node->opcode()); | 1228 DCHECK_EQ(IrOpcode::kJSCreateBlockContext, node->opcode()); |
| 1229 Node* const input = NodeProperties::GetValueInput(node, 0); | 1229 Node* const input = NodeProperties::GetValueInput(node, 0); |
| 1230 HeapObjectMatcher<ScopeInfo> minput(input); | 1230 HeapObjectMatcher minput(input); |
| 1231 DCHECK(minput.HasValue()); // TODO(mstarzinger): Make ScopeInfo static. | 1231 DCHECK(minput.HasValue()); // TODO(mstarzinger): Make ScopeInfo static. |
| 1232 int context_length = minput.Value().handle()->ContextLength(); | 1232 int context_length = |
| 1233 Handle<ScopeInfo>::cast(minput.Value().handle())->ContextLength(); |
| 1233 if (FLAG_turbo_allocate && context_length < kBlockContextAllocationLimit) { | 1234 if (FLAG_turbo_allocate && context_length < kBlockContextAllocationLimit) { |
| 1234 // JSCreateBlockContext(s:scope[length < limit], f) | 1235 // JSCreateBlockContext(s:scope[length < limit], f) |
| 1235 Node* const effect = NodeProperties::GetEffectInput(node); | 1236 Node* const effect = NodeProperties::GetEffectInput(node); |
| 1236 Node* const control = NodeProperties::GetControlInput(node); | 1237 Node* const control = NodeProperties::GetControlInput(node); |
| 1237 Node* const closure = NodeProperties::GetValueInput(node, 1); | 1238 Node* const closure = NodeProperties::GetValueInput(node, 1); |
| 1238 Node* const context = NodeProperties::GetContextInput(node); | 1239 Node* const context = NodeProperties::GetContextInput(node); |
| 1239 Node* const load = graph()->NewNode( | 1240 Node* const load = graph()->NewNode( |
| 1240 simplified()->LoadField( | 1241 simplified()->LoadField( |
| 1241 AccessBuilder::ForContextSlot(Context::GLOBAL_OBJECT_INDEX)), | 1242 AccessBuilder::ForContextSlot(Context::GLOBAL_OBJECT_INDEX)), |
| 1242 context, effect, control); | 1243 context, effect, control); |
| (...skipping 464 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1707 } | 1708 } |
| 1708 | 1709 |
| 1709 | 1710 |
| 1710 MachineOperatorBuilder* JSTypedLowering::machine() const { | 1711 MachineOperatorBuilder* JSTypedLowering::machine() const { |
| 1711 return jsgraph()->machine(); | 1712 return jsgraph()->machine(); |
| 1712 } | 1713 } |
| 1713 | 1714 |
| 1714 } // namespace compiler | 1715 } // namespace compiler |
| 1715 } // namespace internal | 1716 } // namespace internal |
| 1716 } // namespace v8 | 1717 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1196623002:
[ubsan] Fix HeapObjectMatcher to avoid invalid casts. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master