Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/hydrogen-dehoist.cc

Issue 315593002: Clusterfuzz identified overflow check needed in dehoisting. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Carefully avoid overflow. Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 the V8 project authors. All rights reserved. 1 // Copyright 2013 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/hydrogen-dehoist.h" 5 #include "src/hydrogen-dehoist.h"
6 6
7 namespace v8 { 7 namespace v8 {
8 namespace internal { 8 namespace internal {
9 9
10 static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) { 10 static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) {
(...skipping 10 matching lines...) Expand all
21 } else if (binary_operation->right()->IsConstant()) { 21 } else if (binary_operation->right()->IsConstant()) {
22 subexpression = binary_operation->left(); 22 subexpression = binary_operation->left();
23 constant = HConstant::cast(binary_operation->right()); 23 constant = HConstant::cast(binary_operation->right());
24 } else { 24 } else {
25 return; 25 return;
26 } 26 }
27 27
28 if (!constant->HasInteger32Value()) return; 28 if (!constant->HasInteger32Value()) return;
29 int32_t sign = binary_operation->IsSub() ? -1 : 1; 29 int32_t sign = binary_operation->IsSub() ? -1 : 1;
30 int32_t value = constant->Integer32Value() * sign; 30 int32_t value = constant->Integer32Value() * sign;
31 // We limit offset values to 30 bits because we want to avoid the risk of 31 if (value < 0) return;
32 // overflows when the offset is added to the object header size. 32
33 if (value >= 1 << array_operation->MaxBaseOffsetBits() || value < 0) return; 33 // Check for overflow.
34 int32_t shift_amount =
35 1 << ElementsKindToShiftSize(array_operation->elements_kind());
36 int32_t multiplication_result = value * shift_amount;
37 if ((multiplication_result / shift_amount) != value) return;
38 value = multiplication_result;
39
40 // Ensure that the array operation can add value to existing base offset
41 // without overflowing.
42 if (!array_operation->CanIncreaseBaseOffset(value)) return;
34 array_operation->SetKey(subexpression); 43 array_operation->SetKey(subexpression);
35 if (binary_operation->HasNoUses()) { 44 if (binary_operation->HasNoUses()) {
36 binary_operation->DeleteAndReplaceWith(NULL); 45 binary_operation->DeleteAndReplaceWith(NULL);
37 } 46 }
38 value <<= ElementsKindToShiftSize(array_operation->elements_kind()); 47 array_operation->IncreaseBaseOffset(value);
39 array_operation->IncreaseBaseOffset(static_cast<uint32_t>(value));
40 array_operation->SetDehoisted(true); 48 array_operation->SetDehoisted(true);
41 } 49 }
42 50
43 51
44 void HDehoistIndexComputationsPhase::Run() { 52 void HDehoistIndexComputationsPhase::Run() {
45 const ZoneList<HBasicBlock*>* blocks(graph()->blocks()); 53 const ZoneList<HBasicBlock*>* blocks(graph()->blocks());
46 for (int i = 0; i < blocks->length(); ++i) { 54 for (int i = 0; i < blocks->length(); ++i) {
47 for (HInstructionIterator it(blocks->at(i)); !it.Done(); it.Advance()) { 55 for (HInstructionIterator it(blocks->at(i)); !it.Done(); it.Advance()) {
48 HInstruction* instr = it.Current(); 56 HInstruction* instr = it.Current();
49 if (instr->IsLoadKeyed()) { 57 if (instr->IsLoadKeyed()) {
50 DehoistArrayIndex(HLoadKeyed::cast(instr)); 58 DehoistArrayIndex(HLoadKeyed::cast(instr));
51 } else if (instr->IsStoreKeyed()) { 59 } else if (instr->IsStoreKeyed()) {
52 DehoistArrayIndex(HStoreKeyed::cast(instr)); 60 DehoistArrayIndex(HStoreKeyed::cast(instr));
53 } 61 }
54 } 62 }
55 } 63 }
56 } 64 }
57 65
58 } } // namespace v8::internal 66 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698