Re-land "Clusterfuzz identified overflow check needed in dehoisting."

src/hydrogen-instructions.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/double.h"
 #include "src/factory.h"
 #include "src/hydrogen-infer-representation.h"
 #include "src/property-details-inl.h"
+#include "src/base/safe_math.h"
 
 #if V8_TARGET_ARCH_IA32
 #include "src/ia32/lithium-ia32.h"
 #elif V8_TARGET_ARCH_X64
 #include "src/x64/lithium-x64.h"
 #elif V8_TARGET_ARCH_ARM64
 #include "src/arm64/lithium-arm64.h"
 #elif V8_TARGET_ARCH_ARM
 #include "src/arm/lithium-arm.h"
 #elif V8_TARGET_ARCH_MIPS
@@ skipping 3456 matching lines @@
     stream->Add(" ");
     dependency()->PrintNameTo(stream);
   }
 
   if (RequiresHoleCheck()) {
     stream->Add(" check_hole");
   }
 }
 
 
+bool HLoadKeyed::TryIncreaseBaseOffset(uint32_t increase_by_value) {
+  // The base offset is usually simply the size of the array header, except
+  // with dehoisting adds an addition offset due to a array index key
+  // manipulation, in which case it becomes (array header size +
+  // constant-offset-from-key * kPointerSize)
+  uint32_t base_offset = BaseOffsetField::decode(bit_field_);
+  v8::base::internal::CheckedNumeric<uint32_t> addition_result = base_offset;
+  addition_result += increase_by_value;
+  if (!addition_result.IsValid()) return false;
+  base_offset = addition_result.ValueOrDie();
+  if (!BaseOffsetField::is_valid(base_offset)) return false;
+  bit_field_ = BaseOffsetField::update(bit_field_, base_offset);
+  return true;
+}
+
+
 bool HLoadKeyed::UsesMustHandleHole() const {
   if (IsFastPackedElementsKind(elements_kind())) {
     return false;
   }
 
   if (IsExternalArrayElementsKind(elements_kind())) {
     return false;
   }
 
   if (hole_mode() == ALLOW_RETURN_HOLE) {
@@ skipping 558 matching lines @@
   stream->Add(" (");
   if (IsNewSpaceAllocation()) stream->Add("N");
   if (IsOldPointerSpaceAllocation()) stream->Add("P");
   if (IsOldDataSpaceAllocation()) stream->Add("D");
   if (MustAllocateDoubleAligned()) stream->Add("A");
   if (MustPrefillWithFiller()) stream->Add("F");
   stream->Add(")");
 }
 
 
+bool HStoreKeyed::TryIncreaseBaseOffset(uint32_t increase_by_value) {
+  // The base offset is usually simply the size of the array header, except
+  // with dehoisting adds an addition offset due to a array index key
+  // manipulation, in which case it becomes (array header size +
+  // constant-offset-from-key * kPointerSize)
+  v8::base::internal::CheckedNumeric<uint32_t> addition_result = base_offset_;
+  addition_result += increase_by_value;
+  if (!addition_result.IsValid()) return false;
+  base_offset_ = addition_result.ValueOrDie();
+  return true;
+}
+
+
 bool HStoreKeyed::NeedsCanonicalization() {
   // If value is an integer or smi or comes from the result of a keyed load or
   // constant then it is either be a non-hole value or in the case of a constant
   // the hole is only being stored explicitly: no need for canonicalization.
   //
   // The exception to that is keyed loads from external float or double arrays:
   // these can load arbitrary representation of NaN.
 
   if (value()->IsConstant()) {
     return false;
@@ skipping 764 matching lines @@
       break;
     case kExternalMemory:
       stream->Add("[external-memory]");
       break;
   }
 
   stream->Add("@%d", offset());
 }
 
 } }  // namespace v8::internal