src/compiler/escape-analysis.cc - Issue 2459273002: [turbofan] Properly deal with out-of-bounds fields in EscapeAnalysis.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/compiler/escape-analysis.cc

Issue 2459273002: [turbofan] Properly deal with out-of-bounds fields in EscapeAnalysis. (Closed)

Patch Set: Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/compiler/escape-analysis.cc

diff --git a/src/compiler/escape-analysis.cc b/src/compiler/escape-analysis.cc

index a190a5adc0ecb14cf0c0996765be9a16ee050990..f175bd5e81af93ae01cace9451f2c91a96c3943c 100644

--- a/src/compiler/escape-analysis.cc

+++ b/src/compiler/escape-analysis.cc

@@ -1399,7 +1399,20 @@ void EscapeAnalysis::ProcessLoadField(Node* node) {

if (VirtualObject* object = GetVirtualObject(state, from)) {

if (!object->IsTracked()) return;

int offset = OffsetForFieldAccess(node);

- if (static_cast<size_t>(offset) >= object->field_count()) return;

+ if (static_cast<size_t>(offset) >= object->field_count()) {

+ // We have a load from a field that is not inside the {object}. This

+ // can only happen with conflicting type feedback and for dead {node}s.

+ // For now, we just mark the {object} as escaping.

+ // TODO(turbofan): Consider introducing an Undefined or None operator

+ // that we can replace this load with, since we know it's dead code.

+ if (status_analysis_->SetEscaped(from)) {

+ TRACE(

+ "Setting #%d (%s) to escaped because load field #%d from "

+ "offset %d outside of object\n",

+ from->id(), from->op()->mnemonic(), node->id(), offset);

+ }

+ return;

+ }

Node* value = object->GetField(offset);

if (value) {

value = ResolveReplacement(value);

@@ -1464,7 +1477,20 @@ void EscapeAnalysis::ProcessStoreField(Node* node) {

if (VirtualObject* object = GetVirtualObject(state, to)) {

if (!object->IsTracked()) return;

int offset = OffsetForFieldAccess(node);

- if (static_cast<size_t>(offset) >= object->field_count()) return;

+ if (static_cast<size_t>(offset) >= object->field_count()) {

+ // We have a store to a field that is not inside the {object}. This

+ // can only happen with conflicting type feedback and for dead {node}s.

+ // For now, we just mark the {object} as escaping.

+ // TODO(turbofan): Consider just eliminating the store in the reducer

+ // pass, as it's dead code anyways.

+ if (status_analysis_->SetEscaped(to)) {

+ TRACE(

+ "Setting #%d (%s) to escaped because store field #%d to "

+ "offset %d outside of object\n",

+ to->id(), to->op()->mnemonic(), node->id(), offset);

+ }

+ return;

+ }

Node* val = ResolveReplacement(NodeProperties::GetValueInput(node, 1));

// TODO(mstarzinger): The following is a workaround to not track some well

// known raw fields. We only ever store default initial values into these

« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-658185.js » ('j') | no next file with comments »