src/compiler/js-intrinsic-lowering.cc - Issue 2778623003: [typedarrays] Check detached buffer at start of typed array methods

Side by Side Diff: src/compiler/js-intrinsic-lowering.cc

Issue 2778623003: [typedarrays] Check detached buffer at start of typed array methods (Closed)

Patch Set: crankshaft inline Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 the V8 project authors. All rights reserved.	1 // Copyright 2015 the V8 project authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "src/compiler/js-intrinsic-lowering.h"	5 #include "src/compiler/js-intrinsic-lowering.h"

6	6

7 #include <stack>	7 #include <stack>

8	8

9 #include "src/code-factory.h"	9 #include "src/code-factory.h"

10 #include "src/compiler/access-builder.h"	10 #include "src/compiler/access-builder.h"

(...skipping 62 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
73 case Runtime::kInlineCall:	73 case Runtime::kInlineCall:

74 return ReduceCall(node);	74 return ReduceCall(node);

75 case Runtime::kInlineGetSuperConstructor:	75 case Runtime::kInlineGetSuperConstructor:

76 return ReduceGetSuperConstructor(node);	76 return ReduceGetSuperConstructor(node);

77 case Runtime::kInlineArrayBufferViewGetByteLength:	77 case Runtime::kInlineArrayBufferViewGetByteLength:

78 return ReduceArrayBufferViewField(	78 return ReduceArrayBufferViewField(

79 node, AccessBuilder::ForJSArrayBufferViewByteLength());	79 node, AccessBuilder::ForJSArrayBufferViewByteLength());

80 case Runtime::kInlineArrayBufferViewGetByteOffset:	80 case Runtime::kInlineArrayBufferViewGetByteOffset:

81 return ReduceArrayBufferViewField(	81 return ReduceArrayBufferViewField(

82 node, AccessBuilder::ForJSArrayBufferViewByteOffset());	82 node, AccessBuilder::ForJSArrayBufferViewByteOffset());

	83 case Runtime::kInlineArrayBufferViewWasNeutered:

	84 return ReduceArrayBufferViewWasNeutered(node);

83 case Runtime::kInlineMaxSmi:	85 case Runtime::kInlineMaxSmi:

84 return ReduceMaxSmi(node);	86 return ReduceMaxSmi(node);

85 case Runtime::kInlineTypedArrayGetLength:	87 case Runtime::kInlineTypedArrayGetLength:

86 return ReduceArrayBufferViewField(node,	88 return ReduceArrayBufferViewField(node,

87 AccessBuilder::ForJSTypedArrayLength());	89 AccessBuilder::ForJSTypedArrayLength());

88 case Runtime::kInlineTypedArrayMaxSizeInHeap:	90 case Runtime::kInlineTypedArrayMaxSizeInHeap:

89 return ReduceTypedArrayMaxSizeInHeap(node);	91 return ReduceTypedArrayMaxSizeInHeap(node);

90 case Runtime::kInlineJSCollectionGetTable:	92 case Runtime::kInlineJSCollectionGetTable:

91 return ReduceJSCollectionGetTable(node);	93 return ReduceJSCollectionGetTable(node);

92 case Runtime::kInlineStringGetRawHashField:	94 case Runtime::kInlineStringGetRawHashField:

(...skipping 249 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
342	344

343 // Default to zero if the {receiver}s buffer was neutered.	345 // Default to zero if the {receiver}s buffer was neutered.

344 value = graph()->NewNode(	346 value = graph()->NewNode(

345 common()->Select(MachineRepresentation::kTagged, BranchHint::kFalse),	347 common()->Select(MachineRepresentation::kTagged, BranchHint::kFalse),

346 check, jsgraph()->ZeroConstant(), value);	348 check, jsgraph()->ZeroConstant(), value);

347	349

348 ReplaceWithValue(node, value, effect, control);	350 ReplaceWithValue(node, value, effect, control);

349 return Replace(value);	351 return Replace(value);

350 }	352 }

351	353

	354 Reduction JSIntrinsicLowering::ReduceArrayBufferViewWasNeutered(Node* node) {

	355 Node* receiver = NodeProperties::GetValueInput(node, 0);

	356 Node* effect = NodeProperties::GetEffectInput(node);

	357 Node* control = NodeProperties::GetControlInput(node);

	358

	359 // Check if the {receiver}s buffer was neutered.

	360 Node* receiver_buffer = effect = graph()->NewNode(

	361 simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),

	362 receiver, effect, control);

	363 Node* value = effect = graph()->NewNode(

	364 simplified()->ArrayBufferWasNeutered(), receiver_buffer, effect, control);

	365

	366 ReplaceWithValue(node, value, effect, control);

	367 return Replace(value);

	368 }

	369

352 Reduction JSIntrinsicLowering::ReduceMaxSmi(Node* node) {	370 Reduction JSIntrinsicLowering::ReduceMaxSmi(Node* node) {

353 Node* value = jsgraph()->Constant(Smi::kMaxValue);	371 Node* value = jsgraph()->Constant(Smi::kMaxValue);

354 ReplaceWithValue(node, value);	372 ReplaceWithValue(node, value);

355 return Replace(value);	373 return Replace(value);

356 }	374 }

357	375

358 Reduction JSIntrinsicLowering::ReduceTypedArrayMaxSizeInHeap(Node* node) {	376 Reduction JSIntrinsicLowering::ReduceTypedArrayMaxSizeInHeap(Node* node) {

359 Node* value = jsgraph()->Constant(FLAG_typed_array_max_size_in_heap);	377 Node* value = jsgraph()->Constant(FLAG_typed_array_max_size_in_heap);

360 ReplaceWithValue(node, value);	378 ReplaceWithValue(node, value);

361 return Replace(value);	379 return Replace(value);

(...skipping 92 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
454 return jsgraph_->javascript();	472 return jsgraph_->javascript();

455 }	473 }

456	474

457 SimplifiedOperatorBuilder* JSIntrinsicLowering::simplified() const {	475 SimplifiedOperatorBuilder* JSIntrinsicLowering::simplified() const {

458 return jsgraph()->simplified();	476 return jsgraph()->simplified();

459 }	477 }

460	478

461 } // namespace compiler	479 } // namespace compiler

462 } // namespace internal	480 } // namespace internal

463 } // namespace v8	481 } // namespace v8

OLD	NEW

« no previous file with comments | « src/compiler/js-intrinsic-lowering.h ('k') | src/crankshaft/hydrogen.h » ('j') | src/js/typedarray.js » ('J')