| Index: src/hydrogen-instructions.h
|
| diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
|
| index f1720f444247d83635c84d00a99cf2457ee0022e..97c31de10d23fd827b7e296f9292a7f2c4222703 100644
|
| --- a/src/hydrogen-instructions.h
|
| +++ b/src/hydrogen-instructions.h
|
| @@ -6441,8 +6441,8 @@ class ArrayInstructionInterface {
|
| virtual HValue* GetKey() = 0;
|
| virtual void SetKey(HValue* key) = 0;
|
| virtual ElementsKind elements_kind() const = 0;
|
| - virtual void IncreaseBaseOffset(uint32_t base_offset) = 0;
|
| - virtual int MaxBaseOffsetBits() = 0;
|
| + // TryIncreaseBaseOffset returns false if overflow would result.
|
| + virtual bool TryIncreaseBaseOffset(uint32_t increase_by_value) = 0;
|
| virtual bool IsDehoisted() = 0;
|
| virtual void SetDehoisted(bool is_dehoisted) = 0;
|
| virtual ~ArrayInstructionInterface() { }
|
| @@ -6489,16 +6489,19 @@ class HLoadKeyed V8_FINAL
|
| }
|
| bool HasDependency() const { return OperandAt(0) != OperandAt(2); }
|
| uint32_t base_offset() { return BaseOffsetField::decode(bit_field_); }
|
| - void IncreaseBaseOffset(uint32_t base_offset) {
|
| + bool TryIncreaseBaseOffset(uint32_t increase_by_value) {
|
| // The base offset is usually simply the size of the array header, except
|
| // with dehoisting adds an addition offset due to a array index key
|
| // manipulation, in which case it becomes (array header size +
|
| // constant-offset-from-key * kPointerSize)
|
| - base_offset += BaseOffsetField::decode(bit_field_);
|
| + uint32_t base_offset = BaseOffsetField::decode(bit_field_);
|
| + if (AdditionOverflows(base_offset, increase_by_value) ||
|
| + !BaseOffsetField::is_valid(base_offset + increase_by_value)) {
|
| + return false;
|
| + }
|
| + base_offset += increase_by_value;
|
| bit_field_ = BaseOffsetField::update(bit_field_, base_offset);
|
| - }
|
| - virtual int MaxBaseOffsetBits() {
|
| - return kBitsForBaseOffset;
|
| + return true;
|
| }
|
| HValue* GetKey() { return key(); }
|
| void SetKey(HValue* key) { SetOperandAt(1, key); }
|
| @@ -6963,15 +6966,14 @@ class HStoreKeyed V8_FINAL
|
| StoreFieldOrKeyedMode store_mode() const { return store_mode_; }
|
| ElementsKind elements_kind() const { return elements_kind_; }
|
| uint32_t base_offset() { return base_offset_; }
|
| - void IncreaseBaseOffset(uint32_t base_offset) {
|
| + bool TryIncreaseBaseOffset(uint32_t increase_by_value) {
|
| // The base offset is usually simply the size of the array header, except
|
| // with dehoisting adds an addition offset due to a array index key
|
| // manipulation, in which case it becomes (array header size +
|
| // constant-offset-from-key * kPointerSize)
|
| - base_offset_ += base_offset;
|
| - }
|
| - virtual int MaxBaseOffsetBits() {
|
| - return 31 - ElementsKindToShiftSize(elements_kind_);
|
| + if (AdditionOverflows(base_offset_, increase_by_value)) return false;
|
| + base_offset_ += increase_by_value;
|
| + return true;
|
| }
|
| HValue* GetKey() { return key(); }
|
| void SetKey(HValue* key) { SetOperandAt(1, key); }
|
|
|
Chromium Code Reviews
Issue 335063005:
Re-land "Clusterfuzz identified overflow check needed in dehoisting." (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge