Index: src/hydrogen-dehoist.cc |
diff --git a/src/hydrogen-dehoist.cc b/src/hydrogen-dehoist.cc |
index fe68e46d5aba0b435afc0791b70aed87400e40bf..fe0ae764ad63dcf3fc6c3ca625ebd90cdea7fcf7 100644 |
--- a/src/hydrogen-dehoist.cc |
+++ b/src/hydrogen-dehoist.cc |
@@ -28,23 +28,15 @@ static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) { |
if (!constant->HasInteger32Value()) return; |
int32_t sign = binary_operation->IsSub() ? -1 : 1; |
int32_t value = constant->Integer32Value() * sign; |
- if (value < 0) return; |
- |
- // Check for overflow. |
- int32_t shift_amount = |
- 1 << ElementsKindToShiftSize(array_operation->elements_kind()); |
- int32_t multiplication_result = value * shift_amount; |
- if ((multiplication_result / shift_amount) != value) return; |
- value = multiplication_result; |
- |
- // Ensure that the array operation can add value to existing base offset |
- // without overflowing. |
- if (!array_operation->CanIncreaseBaseOffset(value)) return; |
+ // We limit offset values to 30 bits because we want to avoid the risk of |
+ // overflows when the offset is added to the object header size. |
+ if (value >= 1 << array_operation->MaxBaseOffsetBits() || value < 0) return; |
array_operation->SetKey(subexpression); |
if (binary_operation->HasNoUses()) { |
binary_operation->DeleteAndReplaceWith(NULL); |
} |
- array_operation->IncreaseBaseOffset(value); |
+ value <<= ElementsKindToShiftSize(array_operation->elements_kind()); |
+ array_operation->IncreaseBaseOffset(static_cast<uint32_t>(value)); |
array_operation->SetDehoisted(true); |
} |