src/compiler/js-intrinsic-lowering.cc - Issue 2778623003: [typedarrays] Check detached buffer at start of typed array methods

Side by Side Diff: src/compiler/js-intrinsic-lowering.cc

Issue 2778623003: [typedarrays] Check detached buffer at start of typed array methods (Closed)

Patch Set: pass test262 for subarray Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 the V8 project authors. All rights reserved.	1 // Copyright 2015 the V8 project authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "src/compiler/js-intrinsic-lowering.h"	5 #include "src/compiler/js-intrinsic-lowering.h"

6	6

7 #include <stack>	7 #include <stack>

8	8

9 #include "src/code-factory.h"	9 #include "src/code-factory.h"

10 #include "src/compiler/access-builder.h"	10 #include "src/compiler/access-builder.h"

(...skipping 68 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
79 case Runtime::kInlineCall:	79 case Runtime::kInlineCall:

80 return ReduceCall(node);	80 return ReduceCall(node);

81 case Runtime::kInlineGetSuperConstructor:	81 case Runtime::kInlineGetSuperConstructor:

82 return ReduceGetSuperConstructor(node);	82 return ReduceGetSuperConstructor(node);

83 case Runtime::kInlineArrayBufferViewGetByteLength:	83 case Runtime::kInlineArrayBufferViewGetByteLength:

84 return ReduceArrayBufferViewField(	84 return ReduceArrayBufferViewField(

85 node, AccessBuilder::ForJSArrayBufferViewByteLength());	85 node, AccessBuilder::ForJSArrayBufferViewByteLength());

86 case Runtime::kInlineArrayBufferViewGetByteOffset:	86 case Runtime::kInlineArrayBufferViewGetByteOffset:

87 return ReduceArrayBufferViewField(	87 return ReduceArrayBufferViewField(

88 node, AccessBuilder::ForJSArrayBufferViewByteOffset());	88 node, AccessBuilder::ForJSArrayBufferViewByteOffset());

	89 case Runtime::kInlineArrayBufferViewWasNeutered:

	90 return ReduceArrayBufferViewWasNeutered(node);

89 case Runtime::kInlineMaxSmi:	91 case Runtime::kInlineMaxSmi:

90 return ReduceMaxSmi(node);	92 return ReduceMaxSmi(node);

91 case Runtime::kInlineTypedArrayGetLength:	93 case Runtime::kInlineTypedArrayGetLength:

92 return ReduceArrayBufferViewField(node,	94 return ReduceArrayBufferViewField(node,

93 AccessBuilder::ForJSTypedArrayLength());	95 AccessBuilder::ForJSTypedArrayLength());

94 case Runtime::kInlineTypedArrayMaxSizeInHeap:	96 case Runtime::kInlineTypedArrayMaxSizeInHeap:

95 return ReduceTypedArrayMaxSizeInHeap(node);	97 return ReduceTypedArrayMaxSizeInHeap(node);

96 case Runtime::kInlineJSCollectionGetTable:	98 case Runtime::kInlineJSCollectionGetTable:

97 return ReduceJSCollectionGetTable(node);	99 return ReduceJSCollectionGetTable(node);

98 case Runtime::kInlineStringGetRawHashField:	100 case Runtime::kInlineStringGetRawHashField:

(...skipping 268 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
367	369

368 // Default to zero if the {receiver}s buffer was neutered.	370 // Default to zero if the {receiver}s buffer was neutered.

369 value = graph()->NewNode(	371 value = graph()->NewNode(

370 common()->Select(MachineRepresentation::kTagged, BranchHint::kFalse),	372 common()->Select(MachineRepresentation::kTagged, BranchHint::kFalse),

371 check, jsgraph()->ZeroConstant(), value);	373 check, jsgraph()->ZeroConstant(), value);

372	374

373 ReplaceWithValue(node, value, effect, control);	375 ReplaceWithValue(node, value, effect, control);

374 return Replace(value);	376 return Replace(value);

375 }	377 }

376	378

	379 Reduction JSIntrinsicLowering::ReduceArrayBufferViewWasNeutered(Node* node) {

	380 Node* receiver = NodeProperties::GetValueInput(node, 0);

	381 Node* effect = NodeProperties::GetEffectInput(node);

	382 Node* control = NodeProperties::GetControlInput(node);

	383

	384 // Check if the {receiver}s buffer was neutered.

	385 Node* receiver_buffer = effect = graph()->NewNode(

	386 simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),

	387 receiver, effect, control);

	388 Node* value = effect = graph()->NewNode(

	389 simplified()->ArrayBufferWasNeutered(), receiver_buffer, effect, control);

	390

	391 ReplaceWithValue(node, value, effect, control);

	392 return Replace(value);

	393 }

	394

377 Reduction JSIntrinsicLowering::ReduceMaxSmi(Node* node) {	395 Reduction JSIntrinsicLowering::ReduceMaxSmi(Node* node) {

378 Node* value = jsgraph()->Constant(Smi::kMaxValue);	396 Node* value = jsgraph()->Constant(Smi::kMaxValue);

379 ReplaceWithValue(node, value);	397 ReplaceWithValue(node, value);

380 return Replace(value);	398 return Replace(value);

381 }	399 }

382	400

383 Reduction JSIntrinsicLowering::ReduceTypedArrayMaxSizeInHeap(Node* node) {	401 Reduction JSIntrinsicLowering::ReduceTypedArrayMaxSizeInHeap(Node* node) {

384 Node* value = jsgraph()->Constant(FLAG_typed_array_max_size_in_heap);	402 Node* value = jsgraph()->Constant(FLAG_typed_array_max_size_in_heap);

385 ReplaceWithValue(node, value);	403 ReplaceWithValue(node, value);

386 return Replace(value);	404 return Replace(value);

(...skipping 92 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
479 return jsgraph_->javascript();	497 return jsgraph_->javascript();

480 }	498 }

481	499

482 SimplifiedOperatorBuilder* JSIntrinsicLowering::simplified() const {	500 SimplifiedOperatorBuilder* JSIntrinsicLowering::simplified() const {

483 return jsgraph()->simplified();	501 return jsgraph()->simplified();

484 }	502 }

485	503

486 } // namespace compiler	504 } // namespace compiler

487 } // namespace internal	505 } // namespace internal

488 } // namespace v8	506 } // namespace v8

OLD	NEW

« no previous file with comments | « src/compiler/js-intrinsic-lowering.h ('k') | src/crankshaft/hydrogen.h » ('j') | no next file with comments »