Chromium Code Reviews Chromium Code Reviews
Issue 2146353002:
[stubs] Properly handle length overflow in StringAddStub. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 the V8 project authors. All rights reserved. | 1 // Copyright 2013 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/crankshaft/hydrogen.h" | 5 #include "src/crankshaft/hydrogen.h" |
| 6 | 6 |
| 7 #include <sstream> | 7 #include <sstream> |
| 8 | 8 |
| 9 #include "src/allocation-site-scopes.h" | 9 #include "src/allocation-site-scopes.h" |
| 10 #include "src/ast/ast-numbering.h" | 10 #include "src/ast/ast-numbering.h" |
| (...skipping 2395 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2406 return object; | 2406 return object; |
| 2407 } | 2407 } |
| 2408 | 2408 |
| 2409 | 2409 |
| 2410 HValue* HGraphBuilder::BuildAddStringLengths(HValue* left_length, | 2410 HValue* HGraphBuilder::BuildAddStringLengths(HValue* left_length, |
| 2411 HValue* right_length) { | 2411 HValue* right_length) { |
| 2412 // Compute the combined string length and check against max string length. | 2412 // Compute the combined string length and check against max string length. |
| 2413 HValue* length = AddUncasted<HAdd>(left_length, right_length); | 2413 HValue* length = AddUncasted<HAdd>(left_length, right_length); |
| 2414 // Check that length <= kMaxLength <=> length < MaxLength + 1. | 2414 // Check that length <= kMaxLength <=> length < MaxLength + 1. |
| 2415 HValue* max_length = Add<HConstant>(String::kMaxLength + 1); | 2415 HValue* max_length = Add<HConstant>(String::kMaxLength + 1); |
| 2416 Add<HBoundsCheck>(length, max_length); | 2416 if (top_info()->IsStub()) { |
| 2417 // This is a mitigation for crbug.com/627934; the real fix | |
| 2418 // will be to migrate the StringAddStub to TurboFan one day. | |
|
jgruber
2017/01/31 15:13:47
FYI: We now have a TF StringAddStub. Not sure from
Benedikt Meurer
2017/01/31 17:57:20
I think we still inline this into the BinaryOpIC f
| |
| 2419 IfBuilder if_invalid(this); | |
| 2420 if_invalid.If<HCompareNumericAndBranch>(length, max_length, Token::GT); | |
| 2421 if_invalid.Then(); | |
| 2422 { | |
| 2423 Add<HCallRuntime>( | |
| 2424 Runtime::FunctionForId(Runtime::kThrowInvalidStringLength), 0); | |
| 2425 } | |
| 2426 if_invalid.End(); | |
| 2427 } else { | |
| 2428 Add<HBoundsCheck>(length, max_length); | |
| 2429 } | |
| 2417 return length; | 2430 return length; |
| 2418 } | 2431 } |
| 2419 | 2432 |
| 2420 | 2433 |
| 2421 HValue* HGraphBuilder::BuildCreateConsString( | 2434 HValue* HGraphBuilder::BuildCreateConsString( |
| 2422 HValue* length, | 2435 HValue* length, |
| 2423 HValue* left, | 2436 HValue* left, |
| 2424 HValue* right, | 2437 HValue* right, |
| 2425 HAllocationMode allocation_mode) { | 2438 HAllocationMode allocation_mode) { |
| 2426 // Determine the string instance types. | 2439 // Determine the string instance types. |
| (...skipping 10985 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 13412 isolate()->GetHTracer()->TraceHydrogen(name(), graph_); | 13425 isolate()->GetHTracer()->TraceHydrogen(name(), graph_); |
| 13413 } | 13426 } |
| 13414 | 13427 |
| 13415 #ifdef DEBUG | 13428 #ifdef DEBUG |
| 13416 graph_->Verify(false); // No full verify. | 13429 graph_->Verify(false); // No full verify. |
| 13417 #endif | 13430 #endif |
| 13418 } | 13431 } |
| 13419 | 13432 |
| 13420 } // namespace internal | 13433 } // namespace internal |
| 13421 } // namespace v8 | 13434 } // namespace v8 |
| OLD | NEW |
