Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(499)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/hydrogen-dehoist.cc

Issue 317963004: Re-land Clusterfuzz identified overflow check needed in dehoisting. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Bugfix, use arithmetic shift instead of divide. Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 the V8 project authors. All rights reserved. 1 // Copyright 2013 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/hydrogen-dehoist.h" 5 #include "src/hydrogen-dehoist.h"
6 6
7 namespace v8 { 7 namespace v8 {
8 namespace internal { 8 namespace internal {
9 9
10 static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) { 10 static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) {
(...skipping 10 matching lines...) Expand all
21 } else if (binary_operation->right()->IsConstant()) { 21 } else if (binary_operation->right()->IsConstant()) {
22 subexpression = binary_operation->left(); 22 subexpression = binary_operation->left();
23 constant = HConstant::cast(binary_operation->right()); 23 constant = HConstant::cast(binary_operation->right());
24 } else { 24 } else {
25 return; 25 return;
26 } 26 }
27 27
28 if (!constant->HasInteger32Value()) return; 28 if (!constant->HasInteger32Value()) return;
29 int32_t sign = binary_operation->IsSub() ? -1 : 1; 29 int32_t sign = binary_operation->IsSub() ? -1 : 1;
30 int32_t value = constant->Integer32Value() * sign; 30 int32_t value = constant->Integer32Value() * sign;
31 // We limit offset values to 30 bits because we want to avoid the risk of 31 if (value < 0) return;
32 // overflows when the offset is added to the object header size. 32
33 if (value >= 1 << array_operation->MaxBaseOffsetBits() || value < 0) return; 33 // Check for overflow.
34 // TODO(mvstanton): replace with safe_math.h operations when that code is
35 // integrated.
36 int32_t shift_amount =
37 1 << ElementsKindToShiftSize(array_operation->elements_kind());
38 int32_t multiplication_result = value * shift_amount;
39 if ((multiplication_result >> shift_amount) != value) return;
40 value = multiplication_result;
41
42 // Ensure that the array operation can add value to existing base offset
43 // without overflowing.
44 if (!array_operation->CanIncreaseBaseOffset(value)) return;
34 array_operation->SetKey(subexpression); 45 array_operation->SetKey(subexpression);
35 if (binary_operation->HasNoUses()) { 46 if (binary_operation->HasNoUses()) {
36 binary_operation->DeleteAndReplaceWith(NULL); 47 binary_operation->DeleteAndReplaceWith(NULL);
37 } 48 }
38 value <<= ElementsKindToShiftSize(array_operation->elements_kind()); 49 array_operation->IncreaseBaseOffset(value);
39 array_operation->IncreaseBaseOffset(static_cast<uint32_t>(value));
40 array_operation->SetDehoisted(true); 50 array_operation->SetDehoisted(true);
41 } 51 }
42 52
43 53
44 void HDehoistIndexComputationsPhase::Run() { 54 void HDehoistIndexComputationsPhase::Run() {
45 const ZoneList<HBasicBlock*>* blocks(graph()->blocks()); 55 const ZoneList<HBasicBlock*>* blocks(graph()->blocks());
46 for (int i = 0; i < blocks->length(); ++i) { 56 for (int i = 0; i < blocks->length(); ++i) {
47 for (HInstructionIterator it(blocks->at(i)); !it.Done(); it.Advance()) { 57 for (HInstructionIterator it(blocks->at(i)); !it.Done(); it.Advance()) {
48 HInstruction* instr = it.Current(); 58 HInstruction* instr = it.Current();
49 if (instr->IsLoadKeyed()) { 59 if (instr->IsLoadKeyed()) {
50 DehoistArrayIndex(HLoadKeyed::cast(instr)); 60 DehoistArrayIndex(HLoadKeyed::cast(instr));
51 } else if (instr->IsStoreKeyed()) { 61 } else if (instr->IsStoreKeyed()) {
52 DehoistArrayIndex(HStoreKeyed::cast(instr)); 62 DehoistArrayIndex(HStoreKeyed::cast(instr));
53 } 63 }
54 } 64 }
55 } 65 }
56 } 66 }
57 67
58 } } // namespace v8::internal 68 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698