Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(242)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/hydrogen-dehoist.cc

Issue 335063005: Re-land "Clusterfuzz identified overflow check needed in dehoisting." (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Review comments. Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 the V8 project authors. All rights reserved. 1 // Copyright 2013 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/hydrogen-dehoist.h" 5 #include "src/hydrogen-dehoist.h"
6 #include "src/base/safe_math.h"
6 7
7 namespace v8 { 8 namespace v8 {
8 namespace internal { 9 namespace internal {
9 10
10 static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) { 11 static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) {
11 HValue* index = array_operation->GetKey()->ActualValue(); 12 HValue* index = array_operation->GetKey()->ActualValue();
12 if (!index->representation().IsSmiOrInteger32()) return; 13 if (!index->representation().IsSmiOrInteger32()) return;
13 if (!index->IsAdd() && !index->IsSub()) return; 14 if (!index->IsAdd() && !index->IsSub()) return;
14 15
15 HConstant* constant; 16 HConstant* constant;
16 HValue* subexpression; 17 HValue* subexpression;
17 HBinaryOperation* binary_operation = HBinaryOperation::cast(index); 18 HBinaryOperation* binary_operation = HBinaryOperation::cast(index);
18 if (binary_operation->left()->IsConstant() && index->IsAdd()) { 19 if (binary_operation->left()->IsConstant() && index->IsAdd()) {
19 subexpression = binary_operation->right(); 20 subexpression = binary_operation->right();
20 constant = HConstant::cast(binary_operation->left()); 21 constant = HConstant::cast(binary_operation->left());
21 } else if (binary_operation->right()->IsConstant()) { 22 } else if (binary_operation->right()->IsConstant()) {
22 subexpression = binary_operation->left(); 23 subexpression = binary_operation->left();
23 constant = HConstant::cast(binary_operation->right()); 24 constant = HConstant::cast(binary_operation->right());
24 } else { 25 } else {
25 return; 26 return;
26 } 27 }
27 28
28 if (!constant->HasInteger32Value()) return; 29 if (!constant->HasInteger32Value()) return;
29 int32_t sign = binary_operation->IsSub() ? -1 : 1; 30 int32_t sign = binary_operation->IsSub() ? -1 : 1;
30 int32_t value = constant->Integer32Value() * sign; 31 int32_t value = constant->Integer32Value() * sign;
31 // We limit offset values to 30 bits because we want to avoid the risk of 32 if (value < 0) return;
32 // overflows when the offset is added to the object header size. 33
33 if (value >= 1 << array_operation->MaxBaseOffsetBits() || value < 0) return; 34 // Multiply value by elements size, bailing out on overflow.
35 int32_t elements_kind_size =
36 1 << ElementsKindToShiftSize(array_operation->elements_kind());
37 v8::base::internal::CheckedNumeric<int32_t> multiply_result = value;
38 multiply_result = multiply_result * elements_kind_size;
39 if (!multiply_result.IsValid()) return;
40 value = multiply_result.ValueOrDie();
41
42 // Ensure that the array operation can add value to existing base offset
43 // without overflowing.
44 if (!array_operation->TryIncreaseBaseOffset(value)) return;
45
34 array_operation->SetKey(subexpression); 46 array_operation->SetKey(subexpression);
35 if (binary_operation->HasNoUses()) { 47 if (binary_operation->HasNoUses()) {
36 binary_operation->DeleteAndReplaceWith(NULL); 48 binary_operation->DeleteAndReplaceWith(NULL);
37 } 49 }
38 value <<= ElementsKindToShiftSize(array_operation->elements_kind()); 50
39 array_operation->IncreaseBaseOffset(static_cast<uint32_t>(value));
40 array_operation->SetDehoisted(true); 51 array_operation->SetDehoisted(true);
41 } 52 }
42 53
43 54
44 void HDehoistIndexComputationsPhase::Run() { 55 void HDehoistIndexComputationsPhase::Run() {
45 const ZoneList<HBasicBlock*>* blocks(graph()->blocks()); 56 const ZoneList<HBasicBlock*>* blocks(graph()->blocks());
46 for (int i = 0; i < blocks->length(); ++i) { 57 for (int i = 0; i < blocks->length(); ++i) {
47 for (HInstructionIterator it(blocks->at(i)); !it.Done(); it.Advance()) { 58 for (HInstructionIterator it(blocks->at(i)); !it.Done(); it.Advance()) {
48 HInstruction* instr = it.Current(); 59 HInstruction* instr = it.Current();
49 if (instr->IsLoadKeyed()) { 60 if (instr->IsLoadKeyed()) {
50 DehoistArrayIndex(HLoadKeyed::cast(instr)); 61 DehoistArrayIndex(HLoadKeyed::cast(instr));
51 } else if (instr->IsStoreKeyed()) { 62 } else if (instr->IsStoreKeyed()) {
52 DehoistArrayIndex(HStoreKeyed::cast(instr)); 63 DehoistArrayIndex(HStoreKeyed::cast(instr));
53 } 64 }
54 } 65 }
55 } 66 }
56 } 67 }
57 68
58 } } // namespace v8::internal 69 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | src/hydrogen-instructions.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698