Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(394)

Unified Diff: src/hydrogen-dehoist.cc

Issue 318073002: Revert "Clusterfuzz identified overflow check needed in dehoisting." (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/hydrogen-dehoist.cc
diff --git a/src/hydrogen-dehoist.cc b/src/hydrogen-dehoist.cc
index fe68e46d5aba0b435afc0791b70aed87400e40bf..fe0ae764ad63dcf3fc6c3ca625ebd90cdea7fcf7 100644
--- a/src/hydrogen-dehoist.cc
+++ b/src/hydrogen-dehoist.cc
@@ -28,23 +28,15 @@ static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) {
if (!constant->HasInteger32Value()) return;
int32_t sign = binary_operation->IsSub() ? -1 : 1;
int32_t value = constant->Integer32Value() * sign;
- if (value < 0) return;
-
- // Check for overflow.
- int32_t shift_amount =
- 1 << ElementsKindToShiftSize(array_operation->elements_kind());
- int32_t multiplication_result = value * shift_amount;
- if ((multiplication_result / shift_amount) != value) return;
- value = multiplication_result;
-
- // Ensure that the array operation can add value to existing base offset
- // without overflowing.
- if (!array_operation->CanIncreaseBaseOffset(value)) return;
+ // We limit offset values to 30 bits because we want to avoid the risk of
+ // overflows when the offset is added to the object header size.
+ if (value >= 1 << array_operation->MaxBaseOffsetBits() || value < 0) return;
array_operation->SetKey(subexpression);
if (binary_operation->HasNoUses()) {
binary_operation->DeleteAndReplaceWith(NULL);
}
- array_operation->IncreaseBaseOffset(value);
+ value <<= ElementsKindToShiftSize(array_operation->elements_kind());
+ array_operation->IncreaseBaseOffset(static_cast<uint32_t>(value));
array_operation->SetDehoisted(true);
}
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698