Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(120)

Unified Diff: src/compiler/js-intrinsic-lowering.cc

Issue 2827443002: Reland [typedarrays] Check detached buffer at start of typed array methods (Closed)
Patch Set: rebase Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/compiler/js-intrinsic-lowering.h ('k') | src/crankshaft/hydrogen.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/compiler/js-intrinsic-lowering.cc
diff --git a/src/compiler/js-intrinsic-lowering.cc b/src/compiler/js-intrinsic-lowering.cc
index a18551c6426745db9ef43ac8fe517ae427b9c2c3..3e9014712e417f663046dbbf71c96308063b17c2 100644
--- a/src/compiler/js-intrinsic-lowering.cc
+++ b/src/compiler/js-intrinsic-lowering.cc
@@ -86,6 +86,8 @@ Reduction JSIntrinsicLowering::Reduce(Node* node) {
case Runtime::kInlineArrayBufferViewGetByteOffset:
return ReduceArrayBufferViewField(
node, AccessBuilder::ForJSArrayBufferViewByteOffset());
+ case Runtime::kInlineArrayBufferViewWasNeutered:
+ return ReduceArrayBufferViewWasNeutered(node);
case Runtime::kInlineMaxSmi:
return ReduceMaxSmi(node);
case Runtime::kInlineTypedArrayGetLength:
@@ -374,6 +376,22 @@ Reduction JSIntrinsicLowering::ReduceArrayBufferViewField(
return Replace(value);
}
+Reduction JSIntrinsicLowering::ReduceArrayBufferViewWasNeutered(Node* node) {
+ Node* receiver = NodeProperties::GetValueInput(node, 0);
+ Node* effect = NodeProperties::GetEffectInput(node);
+ Node* control = NodeProperties::GetControlInput(node);
+
+ // Check if the {receiver}s buffer was neutered.
+ Node* receiver_buffer = effect = graph()->NewNode(
+ simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
+ receiver, effect, control);
+ Node* value = effect = graph()->NewNode(
+ simplified()->ArrayBufferWasNeutered(), receiver_buffer, effect, control);
+
+ ReplaceWithValue(node, value, effect, control);
+ return Replace(value);
+}
+
Reduction JSIntrinsicLowering::ReduceMaxSmi(Node* node) {
Node* value = jsgraph()->Constant(Smi::kMaxValue);
ReplaceWithValue(node, value);
« no previous file with comments | « src/compiler/js-intrinsic-lowering.h ('k') | src/crankshaft/hydrogen.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698