Ensure we don't overflow in BCE

BUG=chromium:469148 LOG=y [email protected] Review URL: https://codereview.chromium.org/1023123003 Cr-Commit-Position: refs/heads/master@{#27346}
Bysmyyr · Mar 20, 2015 · 0f57346 · 0f57346
1 parent 371ae8c
commit 0f57346
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/src/hydrogen-bce.cc b/src/hydrogen-bce.cc
@@ -56,7 +56,8 @@ class BoundsCheckKey : public ZoneObject {
       constant = HConstant::cast(check->index());
     }
 
-    if (constant != NULL && constant->HasInteger32Value()) {
+    if (constant != NULL && constant->HasInteger32Value() &&
+        constant->Integer32Value() != kMinInt) {
       *offset = is_sub ? - constant->Integer32Value()
                        : constant->Integer32Value();
     } else {

diff --git a/test/mjsunit/regress/regress-bce-underflow.js b/test/mjsunit/regress/regress-bce-underflow.js
@@ -0,0 +1,35 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(a, i, bool) {
+  var result;
+  if (bool) {
+    // Make sure i - -0x80000000 doesn't overflow in BCE, missing a check for
+    // x-0 later on.
+    result = f2(a, 0x7fffffff, i, i, -0x80000000);
+  } else {
+    result = f2(a, -3, 4, i, 0);
+  }
+  return result;
+}
+
+function f2(a, c, x, i, d) {
+  return a[x + c] + a[x - 0] + a[i - d];
+}
+
+
+var a = [];
+var i = 0;
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+a.push(i++);
+f(a, 0, false);
+f(a, 0, false);
+f(a, 0, false);
+%OptimizeFunctionOnNextCall(f);
+%DebugPrint(f(a, -0x7fffffff, true));