| OLD | NEW |
|---|
| 1 // Copyright 2017 the V8 project authors. All rights reserved. | 1 // Copyright 2017 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/builtins/builtins-utils-gen.h" | 5 #include "src/builtins/builtins-utils-gen.h" |
| 6 #include "src/builtins/builtins.h" | 6 #include "src/builtins/builtins.h" |
| 7 #include "src/code-stub-assembler.h" | 7 #include "src/code-stub-assembler.h" |
| 8 #include "src/objects.h" | 8 #include "src/objects.h" |
| 9 | 9 |
| 10 namespace v8 { | 10 namespace v8 { |
| 11 namespace internal { | 11 namespace internal { |
| 12 | 12 |
| 13 using compiler::Node; | 13 using compiler::Node; |
| 14 | 14 |
| 15 class SharedArrayBufferBuiltinsAssembler : public CodeStubAssembler { | 15 class SharedArrayBufferBuiltinsAssembler : public CodeStubAssembler { |
| 16 public: | 16 public: |
| 17 explicit SharedArrayBufferBuiltinsAssembler( | 17 explicit SharedArrayBufferBuiltinsAssembler( |
| 18 compiler::CodeAssemblerState* state) | 18 compiler::CodeAssemblerState* state) |
| 19 : CodeStubAssembler(state) {} | 19 : CodeStubAssembler(state) {} |
| 20 | 20 |
| 21 protected: | 21 protected: |
| 22 typedef Node* (CodeAssembler::*AssemblerFunction)(MachineType type, | 22 typedef Node* (CodeAssembler::*AssemblerFunction)(MachineType type, |
| 23 Node* base, Node* offset, | 23 Node* base, Node* offset, |
| 24 Node* value); | 24 Node* value); |
| 25 void ValidateSharedTypedArray(Node* tagged, Node* context, | 25 void ValidateSharedTypedArray(Node* tagged, Node* context, |
| 26 Node** out_instance_type, | 26 Node** out_instance_type, |
| 27 Node** out_backing_store); | 27 Node** out_backing_store); |
| 28 Node* ConvertTaggedAtomicIndexToWord32(Node* tagged, Node* context, | 28 Node* ConvertTaggedAtomicIndexToWord32(Node* tagged, Node* context, |
| 29 Node** number_index); | 29 Node** number_index); |
| 30 void ValidateAtomicIndex(Node* index_word, Node* array_length_word, | 30 void ValidateAtomicIndex(Node* array, Node* index_word, Node* context); |
| 31 Node* context); | 31 #if DEBUG |
| 32 void DebugSanityCheckAtomicIndex(Node* array, Node* index_word, |
| 33 Node* context); |
| 34 #endif |
| 32 void AtomicBinopBuiltinCommon(Node* array, Node* index, Node* value, | 35 void AtomicBinopBuiltinCommon(Node* array, Node* index, Node* value, |
| 33 Node* context, AssemblerFunction function, | 36 Node* context, AssemblerFunction function, |
| 34 Runtime::FunctionId runtime_function); | 37 Runtime::FunctionId runtime_function); |
| 35 }; | 38 }; |
| 36 | 39 |
| 37 void SharedArrayBufferBuiltinsAssembler::ValidateSharedTypedArray( | 40 void SharedArrayBufferBuiltinsAssembler::ValidateSharedTypedArray( |
| 38 Node* tagged, Node* context, Node** out_instance_type, | 41 Node* tagged, Node* context, Node** out_instance_type, |
| 39 Node** out_backing_store) { | 42 Node** out_backing_store) { |
| 40 Label not_float_or_clamped(this), invalid(this); | 43 Label not_float_or_clamped(this), invalid(this); |
| 41 | 44 |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 81 Node* byte_offset = ChangeUint32ToWord(TruncateTaggedToWord32( | 84 Node* byte_offset = ChangeUint32ToWord(TruncateTaggedToWord32( |
| 82 context, LoadObjectField(tagged, JSArrayBufferView::kByteOffsetOffset))); | 85 context, LoadObjectField(tagged, JSArrayBufferView::kByteOffsetOffset))); |
| 83 *out_backing_store = | 86 *out_backing_store = |
| 84 IntPtrAdd(BitcastTaggedToWord(backing_store), byte_offset); | 87 IntPtrAdd(BitcastTaggedToWord(backing_store), byte_offset); |
| 85 } | 88 } |
| 86 | 89 |
| 87 // https://tc39.github.io/ecmascript_sharedmem/shmem.html#Atomics.ValidateAtomic
Access | 90 // https://tc39.github.io/ecmascript_sharedmem/shmem.html#Atomics.ValidateAtomic
Access |
| 88 Node* SharedArrayBufferBuiltinsAssembler::ConvertTaggedAtomicIndexToWord32( | 91 Node* SharedArrayBufferBuiltinsAssembler::ConvertTaggedAtomicIndexToWord32( |
| 89 Node* tagged, Node* context, Node** number_index) { | 92 Node* tagged, Node* context, Node** number_index) { |
| 90 VARIABLE(var_result, MachineRepresentation::kWord32); | 93 VARIABLE(var_result, MachineRepresentation::kWord32); |
| 94 Label done(this), range_error(this); |
| 91 | 95 |
| 92 // TODO(jkummerow): Skip ToNumber call when |tagged| is a number already. | 96 // Returns word32 since index cannot be longer than a TypedArray length, |
| 93 // Maybe this can be unified with other tagged-to-index conversions? | 97 // which has a uint32 maximum. |
| 94 // Why does this return an int32, and not an intptr? | 98 // The |number_index| output parameter is used only for architectures that |
| 95 // Why is there the additional |number_index| output parameter? | 99 // don't currently have a TF implementation and forward to runtime functions |
| 96 Callable to_number = CodeFactory::ToNumber(isolate()); | 100 // instead; they expect the value has already been coerced to an integer. |
| 97 *number_index = CallStub(to_number, context, tagged); | 101 *number_index = ToSmiIndex(tagged, context, &range_error); |
| 98 Label done(this, &var_result); | 102 var_result.Bind(SmiToWord32(*number_index)); |
| 103 Goto(&done); |
| 99 | 104 |
| 100 Label if_numberissmi(this), if_numberisnotsmi(this); | 105 BIND(&range_error); |
| 101 Branch(TaggedIsSmi(*number_index), &if_numberissmi, &if_numberisnotsmi); | |
| 102 | |
| 103 BIND(&if_numberissmi); | |
| 104 { | 106 { |
| 105 var_result.Bind(SmiToWord32(*number_index)); | 107 CallRuntime(Runtime::kThrowInvalidAtomicAccessIndexError, context); |
| 106 Goto(&done); | 108 Unreachable(); |
| 107 } | |
| 108 | |
| 109 BIND(&if_numberisnotsmi); | |
| 110 { | |
| 111 Node* number_index_value = LoadHeapNumberValue(*number_index); | |
| 112 Node* access_index = TruncateFloat64ToWord32(number_index_value); | |
| 113 Node* test_index = ChangeInt32ToFloat64(access_index); | |
| 114 | |
| 115 Label if_indexesareequal(this), if_indexesarenotequal(this); | |
| 116 Branch(Float64Equal(number_index_value, test_index), &if_indexesareequal, | |
| 117 &if_indexesarenotequal); | |
| 118 | |
| 119 BIND(&if_indexesareequal); | |
| 120 { | |
| 121 var_result.Bind(access_index); | |
| 122 Goto(&done); | |
| 123 } | |
| 124 | |
| 125 BIND(&if_indexesarenotequal); | |
| 126 { | |
| 127 CallRuntime(Runtime::kThrowInvalidAtomicAccessIndexError, context); | |
| 128 Unreachable(); | |
| 129 } | |
| 130 } | 109 } |
| 131 | 110 |
| 132 BIND(&done); | 111 BIND(&done); |
| 133 return var_result.value(); | 112 return var_result.value(); |
| 134 } | 113 } |
| 135 | 114 |
| 136 void SharedArrayBufferBuiltinsAssembler::ValidateAtomicIndex( | 115 void SharedArrayBufferBuiltinsAssembler::ValidateAtomicIndex(Node* array, |
| 137 Node* index_word, Node* array_length_word, Node* context) { | 116 Node* index_word, |
| 117 Node* context) { |
| 138 // Check if the index is in bounds. If not, throw RangeError. | 118 // Check if the index is in bounds. If not, throw RangeError. |
| 139 Label check_passed(this); | 119 Label check_passed(this); |
| 140 GotoIf(Uint32LessThan(index_word, array_length_word), &check_passed); | 120 Node* array_length_word32 = TruncateTaggedToWord32( |
| 121 context, LoadObjectField(array, JSTypedArray::kLengthOffset)); |
| 122 GotoIf(Uint32LessThan(index_word, array_length_word32), &check_passed); |
| 141 | 123 |
| 142 CallRuntime(Runtime::kThrowInvalidAtomicAccessIndexError, context); | 124 CallRuntime(Runtime::kThrowInvalidAtomicAccessIndexError, context); |
| 143 Unreachable(); | 125 Unreachable(); |
| 144 | 126 |
| 145 BIND(&check_passed); | 127 BIND(&check_passed); |
| 146 } | 128 } |
| 147 | 129 |
| 130 #if DEBUG |
| 131 void SharedArrayBufferBuiltinsAssembler::DebugSanityCheckAtomicIndex( |
| 132 Node* array, Node* index_word, Node* context) { |
| 133 // In Debug mode, we re-validate the index as a sanity check because |
| 134 // ToInteger above calls out to JavaScript. A SharedArrayBuffer can't be |
| 135 // neutered and the TypedArray length can't change either, so skipping this |
| 136 // check in Release mode is safe. |
| 137 CSA_ASSERT( |
| 138 this, |
| 139 Uint32LessThan( |
| 140 index_word, |
| 141 TruncateTaggedToWord32( |
| 142 context, LoadObjectField(array, JSTypedArray::kLengthOffset)))); |
| 143 } |
| 144 #endif |
| 145 |
| 148 TF_BUILTIN(AtomicsLoad, SharedArrayBufferBuiltinsAssembler) { | 146 TF_BUILTIN(AtomicsLoad, SharedArrayBufferBuiltinsAssembler) { |
| 149 Node* array = Parameter(Descriptor::kArray); | 147 Node* array = Parameter(Descriptor::kArray); |
| 150 Node* index = Parameter(Descriptor::kIndex); | 148 Node* index = Parameter(Descriptor::kIndex); |
| 151 Node* context = Parameter(Descriptor::kContext); | 149 Node* context = Parameter(Descriptor::kContext); |
| 152 | 150 |
| 153 Node* index_integer; | |
| 154 Node* index_word32 = | |
| 155 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); | |
| 156 | |
| 157 Node* instance_type; | 151 Node* instance_type; |
| 158 Node* backing_store; | 152 Node* backing_store; |
| 159 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); | 153 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); |
| 160 | 154 |
| 161 Node* array_length_word32 = TruncateTaggedToWord32( | 155 Node* index_integer; |
| 162 context, LoadObjectField(array, JSTypedArray::kLengthOffset)); | 156 Node* index_word32 = |
| 163 ValidateAtomicIndex(index_word32, array_length_word32, context); | 157 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); |
| 158 ValidateAtomicIndex(array, index_word32, context); |
| 164 Node* index_word = ChangeUint32ToWord(index_word32); | 159 Node* index_word = ChangeUint32ToWord(index_word32); |
| 165 | 160 |
| 166 Label i8(this), u8(this), i16(this), u16(this), i32(this), u32(this), | 161 Label i8(this), u8(this), i16(this), u16(this), i32(this), u32(this), |
| 167 other(this); | 162 other(this); |
| 168 int32_t case_values[] = { | 163 int32_t case_values[] = { |
| 169 FIXED_INT8_ARRAY_TYPE, FIXED_UINT8_ARRAY_TYPE, FIXED_INT16_ARRAY_TYPE, | 164 FIXED_INT8_ARRAY_TYPE, FIXED_UINT8_ARRAY_TYPE, FIXED_INT16_ARRAY_TYPE, |
| 170 FIXED_UINT16_ARRAY_TYPE, FIXED_INT32_ARRAY_TYPE, FIXED_UINT32_ARRAY_TYPE, | 165 FIXED_UINT16_ARRAY_TYPE, FIXED_INT32_ARRAY_TYPE, FIXED_UINT32_ARRAY_TYPE, |
| 171 }; | 166 }; |
| 172 Label* case_labels[] = { | 167 Label* case_labels[] = { |
| 173 &i8, &u8, &i16, &u16, &i32, &u32, | 168 &i8, &u8, &i16, &u16, &i32, &u32, |
| (...skipping 29 matching lines...) Expand all Loading... |
| 203 BIND(&other); | 198 BIND(&other); |
| 204 Unreachable(); | 199 Unreachable(); |
| 205 } | 200 } |
| 206 | 201 |
| 207 TF_BUILTIN(AtomicsStore, SharedArrayBufferBuiltinsAssembler) { | 202 TF_BUILTIN(AtomicsStore, SharedArrayBufferBuiltinsAssembler) { |
| 208 Node* array = Parameter(Descriptor::kArray); | 203 Node* array = Parameter(Descriptor::kArray); |
| 209 Node* index = Parameter(Descriptor::kIndex); | 204 Node* index = Parameter(Descriptor::kIndex); |
| 210 Node* value = Parameter(Descriptor::kValue); | 205 Node* value = Parameter(Descriptor::kValue); |
| 211 Node* context = Parameter(Descriptor::kContext); | 206 Node* context = Parameter(Descriptor::kContext); |
| 212 | 207 |
| 213 // The value_integer needs to be computed before the validations as the | |
| 214 // ToInteger function can be potentially modified in JS to invalidate the | |
| 215 // conditions. This is just a no-cost safety measure as SABs can't be neutered | |
| 216 // or shrunk. | |
| 217 Node* value_integer = ToInteger(context, value); | |
| 218 Node* value_word32 = TruncateTaggedToWord32(context, value_integer); | |
| 219 | |
| 220 Node* index_integer; | |
| 221 Node* index_word32 = | |
| 222 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); | |
| 223 | |
| 224 Node* instance_type; | 208 Node* instance_type; |
| 225 Node* backing_store; | 209 Node* backing_store; |
| 226 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); | 210 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); |
| 227 | 211 |
| 228 Node* array_length_word32 = TruncateTaggedToWord32( | 212 Node* index_integer; |
| 229 context, LoadObjectField(array, JSTypedArray::kLengthOffset)); | 213 Node* index_word32 = |
| 230 ValidateAtomicIndex(index_word32, array_length_word32, context); | 214 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); |
| 215 ValidateAtomicIndex(array, index_word32, context); |
| 231 Node* index_word = ChangeUint32ToWord(index_word32); | 216 Node* index_word = ChangeUint32ToWord(index_word32); |
| 232 | 217 |
| 218 Node* value_integer = ToInteger(context, value); |
| 219 Node* value_word32 = TruncateTaggedToWord32(context, value_integer); |
| 220 |
| 221 #if DEBUG |
| 222 DebugSanityCheckAtomicIndex(array, index_word32, context); |
| 223 #endif |
| 224 |
| 233 Label u8(this), u16(this), u32(this), other(this); | 225 Label u8(this), u16(this), u32(this), other(this); |
| 234 int32_t case_values[] = { | 226 int32_t case_values[] = { |
| 235 FIXED_INT8_ARRAY_TYPE, FIXED_UINT8_ARRAY_TYPE, FIXED_INT16_ARRAY_TYPE, | 227 FIXED_INT8_ARRAY_TYPE, FIXED_UINT8_ARRAY_TYPE, FIXED_INT16_ARRAY_TYPE, |
| 236 FIXED_UINT16_ARRAY_TYPE, FIXED_INT32_ARRAY_TYPE, FIXED_UINT32_ARRAY_TYPE, | 228 FIXED_UINT16_ARRAY_TYPE, FIXED_INT32_ARRAY_TYPE, FIXED_UINT32_ARRAY_TYPE, |
| 237 }; | 229 }; |
| 238 Label* case_labels[] = { | 230 Label* case_labels[] = { |
| 239 &u8, &u8, &u16, &u16, &u32, &u32, | 231 &u8, &u8, &u16, &u16, &u32, &u32, |
| 240 }; | 232 }; |
| 241 Switch(instance_type, &other, case_values, case_labels, | 233 Switch(instance_type, &other, case_values, case_labels, |
| 242 arraysize(case_labels)); | 234 arraysize(case_labels)); |
| (...skipping 17 matching lines...) Expand all Loading... |
| 260 BIND(&other); | 252 BIND(&other); |
| 261 Unreachable(); | 253 Unreachable(); |
| 262 } | 254 } |
| 263 | 255 |
| 264 TF_BUILTIN(AtomicsExchange, SharedArrayBufferBuiltinsAssembler) { | 256 TF_BUILTIN(AtomicsExchange, SharedArrayBufferBuiltinsAssembler) { |
| 265 Node* array = Parameter(Descriptor::kArray); | 257 Node* array = Parameter(Descriptor::kArray); |
| 266 Node* index = Parameter(Descriptor::kIndex); | 258 Node* index = Parameter(Descriptor::kIndex); |
| 267 Node* value = Parameter(Descriptor::kValue); | 259 Node* value = Parameter(Descriptor::kValue); |
| 268 Node* context = Parameter(Descriptor::kContext); | 260 Node* context = Parameter(Descriptor::kContext); |
| 269 | 261 |
| 270 // The value_integer needs to be computed before the validations as the | |
| 271 // ToInteger function can be potentially modified in JS to invalidate the | |
| 272 // conditions. This is just a no-cost safety measure as SABs can't be neutered | |
| 273 // or shrunk. | |
| 274 Node* value_integer = ToInteger(context, value); | |
| 275 | |
| 276 Node* index_integer; | |
| 277 Node* index_word32 = | |
| 278 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); | |
| 279 | |
| 280 Node* instance_type; | 262 Node* instance_type; |
| 281 Node* backing_store; | 263 Node* backing_store; |
| 282 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); | 264 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); |
| 283 | 265 |
| 284 Node* array_length_word32 = TruncateTaggedToWord32( | 266 Node* index_integer; |
| 285 context, LoadObjectField(array, JSTypedArray::kLengthOffset)); | 267 Node* index_word32 = |
| 286 ValidateAtomicIndex(index_word32, array_length_word32, context); | 268 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); |
| 269 ValidateAtomicIndex(array, index_word32, context); |
| 270 |
| 271 Node* value_integer = ToInteger(context, value); |
| 272 |
| 273 #if DEBUG |
| 274 DebugSanityCheckAtomicIndex(array, index_word32, context); |
| 275 #endif |
| 287 | 276 |
| 288 #if V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 | 277 #if V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 |
| 289 Return(CallRuntime(Runtime::kAtomicsExchange, context, array, index_integer, | 278 Return(CallRuntime(Runtime::kAtomicsExchange, context, array, index_integer, |
| 290 value_integer)); | 279 value_integer)); |
| 291 #else | 280 #else |
| 292 Node* index_word = ChangeUint32ToWord(index_word32); | 281 Node* index_word = ChangeUint32ToWord(index_word32); |
| 293 | 282 |
| 294 Node* value_word32 = TruncateTaggedToWord32(context, value_integer); | 283 Node* value_word32 = TruncateTaggedToWord32(context, value_integer); |
| 295 | 284 |
| 296 Label i8(this), u8(this), i16(this), u16(this), i32(this), u32(this), | 285 Label i8(this), u8(this), i16(this), u16(this), i32(this), u32(this), |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 337 #endif // V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 | 326 #endif // V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 |
| 338 } | 327 } |
| 339 | 328 |
| 340 TF_BUILTIN(AtomicsCompareExchange, SharedArrayBufferBuiltinsAssembler) { | 329 TF_BUILTIN(AtomicsCompareExchange, SharedArrayBufferBuiltinsAssembler) { |
| 341 Node* array = Parameter(Descriptor::kArray); | 330 Node* array = Parameter(Descriptor::kArray); |
| 342 Node* index = Parameter(Descriptor::kIndex); | 331 Node* index = Parameter(Descriptor::kIndex); |
| 343 Node* old_value = Parameter(Descriptor::kOldValue); | 332 Node* old_value = Parameter(Descriptor::kOldValue); |
| 344 Node* new_value = Parameter(Descriptor::kNewValue); | 333 Node* new_value = Parameter(Descriptor::kNewValue); |
| 345 Node* context = Parameter(Descriptor::kContext); | 334 Node* context = Parameter(Descriptor::kContext); |
| 346 | 335 |
| 347 // The value_integers needs to be computed before the validations as the | |
| 348 // ToInteger function can be potentially modified in JS to invalidate the | |
| 349 // conditions. This is just a no-cost safety measure as SABs can't be neutered | |
| 350 // or shrunk. | |
| 351 Node* old_value_integer = ToInteger(context, old_value); | |
| 352 Node* new_value_integer = ToInteger(context, new_value); | |
| 353 | |
| 354 Node* index_integer; | |
| 355 Node* index_word32 = | |
| 356 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); | |
| 357 | |
| 358 Node* instance_type; | 336 Node* instance_type; |
| 359 Node* backing_store; | 337 Node* backing_store; |
| 360 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); | 338 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); |
| 361 | 339 |
| 362 Node* array_length_word32 = TruncateTaggedToWord32( | 340 Node* index_integer; |
| 363 context, LoadObjectField(array, JSTypedArray::kLengthOffset)); | 341 Node* index_word32 = |
| 364 ValidateAtomicIndex(index_word32, array_length_word32, context); | 342 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); |
| 343 ValidateAtomicIndex(array, index_word32, context); |
| 344 |
| 345 Node* old_value_integer = ToInteger(context, old_value); |
| 346 Node* new_value_integer = ToInteger(context, new_value); |
| 347 |
| 348 #if DEBUG |
| 349 DebugSanityCheckAtomicIndex(array, index_word32, context); |
| 350 #endif |
| 365 | 351 |
| 366 #if V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 || V8_TARGET_ARCH_PPC64 || \ | 352 #if V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 || V8_TARGET_ARCH_PPC64 || \ |
| 367 V8_TARGET_ARCH_PPC || V8_TARGET_ARCH_S390 || V8_TARGET_ARCH_S390X | 353 V8_TARGET_ARCH_PPC || V8_TARGET_ARCH_S390 || V8_TARGET_ARCH_S390X |
| 368 Return(CallRuntime(Runtime::kAtomicsCompareExchange, context, array, | 354 Return(CallRuntime(Runtime::kAtomicsCompareExchange, context, array, |
| 369 index_integer, old_value_integer, new_value_integer)); | 355 index_integer, old_value_integer, new_value_integer)); |
| 370 #else | 356 #else |
| 371 Node* index_word = ChangeUint32ToWord(index_word32); | 357 Node* index_word = ChangeUint32ToWord(index_word32); |
| 372 | 358 |
| 373 Node* old_value_word32 = TruncateTaggedToWord32(context, old_value_integer); | 359 Node* old_value_word32 = TruncateTaggedToWord32(context, old_value_integer); |
| 374 | 360 |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 436 BINOP_BUILTIN(Add) | 422 BINOP_BUILTIN(Add) |
| 437 BINOP_BUILTIN(Sub) | 423 BINOP_BUILTIN(Sub) |
| 438 BINOP_BUILTIN(And) | 424 BINOP_BUILTIN(And) |
| 439 BINOP_BUILTIN(Or) | 425 BINOP_BUILTIN(Or) |
| 440 BINOP_BUILTIN(Xor) | 426 BINOP_BUILTIN(Xor) |
| 441 #undef BINOP_BUILTIN | 427 #undef BINOP_BUILTIN |
| 442 | 428 |
| 443 void SharedArrayBufferBuiltinsAssembler::AtomicBinopBuiltinCommon( | 429 void SharedArrayBufferBuiltinsAssembler::AtomicBinopBuiltinCommon( |
| 444 Node* array, Node* index, Node* value, Node* context, | 430 Node* array, Node* index, Node* value, Node* context, |
| 445 AssemblerFunction function, Runtime::FunctionId runtime_function) { | 431 AssemblerFunction function, Runtime::FunctionId runtime_function) { |
| 446 // The value_integer needs to be computed before the validations as the | 432 Node* instance_type; |
| 447 // ToInteger function can be potentially modified in JS to invalidate the | 433 Node* backing_store; |
| 448 // conditions. This is just a no-cost safety measure as SABs can't be neutered | 434 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); |
| 449 // or shrunk. | |
| 450 Node* value_integer = ToInteger(context, value); | |
| 451 | 435 |
| 452 Node* index_integer; | 436 Node* index_integer; |
| 453 Node* index_word32 = | 437 Node* index_word32 = |
| 454 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); | 438 ConvertTaggedAtomicIndexToWord32(index, context, &index_integer); |
| 439 ValidateAtomicIndex(array, index_word32, context); |
| 455 | 440 |
| 456 Node* instance_type; | 441 Node* value_integer = ToInteger(context, value); |
| 457 Node* backing_store; | |
| 458 ValidateSharedTypedArray(array, context, &instance_type, &backing_store); | |
| 459 | 442 |
| 460 Node* array_length_word32 = TruncateTaggedToWord32( | 443 #if DEBUG |
| 461 context, LoadObjectField(array, JSTypedArray::kLengthOffset)); | 444 // In Debug mode, we re-validate the index as a sanity check because |
| 462 ValidateAtomicIndex(index_word32, array_length_word32, context); | 445 // ToInteger above calls out to JavaScript. A SharedArrayBuffer can't be |
| 446 // neutered and the TypedArray length can't change either, so skipping this |
| 447 // check in Release mode is safe. |
| 448 ValidateAtomicIndex(array, index_word32, context); |
| 449 #endif |
| 463 | 450 |
| 464 #if V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 || V8_TARGET_ARCH_PPC64 || \ | 451 #if V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 || V8_TARGET_ARCH_PPC64 || \ |
| 465 V8_TARGET_ARCH_PPC || V8_TARGET_ARCH_S390 || V8_TARGET_ARCH_S390X | 452 V8_TARGET_ARCH_PPC || V8_TARGET_ARCH_S390 || V8_TARGET_ARCH_S390X |
| 466 Return(CallRuntime(runtime_function, context, array, index_integer, | 453 Return(CallRuntime(runtime_function, context, array, index_integer, |
| 467 value_integer)); | 454 value_integer)); |
| 468 #else | 455 #else |
| 469 Node* index_word = ChangeUint32ToWord(index_word32); | 456 Node* index_word = ChangeUint32ToWord(index_word32); |
| 470 | 457 |
| 471 Node* value_word32 = TruncateTaggedToWord32(context, value_integer); | 458 Node* value_word32 = TruncateTaggedToWord32(context, value_integer); |
| 472 | 459 |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 512 | 499 |
| 513 // This shouldn't happen, we've already validated the type. | 500 // This shouldn't happen, we've already validated the type. |
| 514 Bind(&other); | 501 Bind(&other); |
| 515 Unreachable(); | 502 Unreachable(); |
| 516 #endif // V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 || V8_TARGET_ARCH_PPC64 | 503 #endif // V8_TARGET_ARCH_MIPS || V8_TARGET_ARCH_MIPS64 || V8_TARGET_ARCH_PPC64 |
| 517 // || V8_TARGET_ARCH_PPC || V8_TARGET_ARCH_S390 || V8_TARGET_ARCH_S390X | 504 // || V8_TARGET_ARCH_PPC || V8_TARGET_ARCH_S390 || V8_TARGET_ARCH_S390X |
| 518 } | 505 } |
| 519 | 506 |
| 520 } // namespace internal | 507 } // namespace internal |
| 521 } // namespace v8 | 508 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2814753003:
[SAB] Validate index before value conversion (Closed)
