Google Git
Sign in
chromium / v8 / v8 / 58ab990aa8c3aeee38e888c1c33404f4b5a14759
commit58ab990aa8c3aeee38e888c1c33404f4b5a14759[log] [tgz]
authorbmeurer <bmeurer@chromium.org>Fri Feb 26 11:05:22 2016
committerCommit bot <commit-bot@chromium.org>Fri Feb 26 11:06:30 2016
tree53455e1113b8eb6badb628d1bf418cff1a06a72f
parentcb29f9cdbceace4e8ea3a9701e421acea3ff9c6d [diff]
[turbofan] Bailout if LoadBuffer typing assumption doesn't hold.

The LoadBuffer operator that is used for asm.js heap access claims to
return only the appropriate typed array type, but out of bounds access
could make it return undefined. So far we tried to "repair" the graph
later if we see that our assumption was wrong, and for various reasons
that worked for some time. But now that wrong type information that is
propagated earlier is picked up appropriately and thus we generate wrong
code, i.e. we in the repro case we feed NaN into ChangeFloat64Uint32 and
thus get 2147483648 instead of 0 (with proper JS truncation).

This was always considered a temporary hack until we have a proper
asm.js pipeline, but since we still run asm.js through the generic
JavaScript pipeline, we have to address this now. Quickfix is to just
bailout from the pipeline when we see that the LoadBuffer type was
wrong, i.e. the result of LoadBuffer is not properly truncated and thus
undefined or NaN would be observable.

R=mstarzinger@chromium.org, jarin@chromium.org
BUG=chromium:589792
LOG=y

Review URL: https://codereview.chromium.org/1740123002

Cr-Commit-Position: refs/heads/master@{#34322}
6 files changed
tree: 53455e1113b8eb6badb628d1bf418cff1a06a72f
  1. benchmarks/
  2. build/
  3. docs/
  4. include/
  5. infra/
  6. samples/
  7. src/
  8. test/
  9. testing/
  10. third_party/
  11. tools/
  12. .clang-format
  13. .gitignore
  14. .ycm_extra_conf.py
  15. AUTHORS
  16. BUILD.gn
  17. ChangeLog
  18. codereview.settings
  19. DEPS
  20. LICENSE
  21. LICENSE.strongtalk
  22. LICENSE.v8
  23. LICENSE.valgrind
  24. Makefile
  25. Makefile.android
  26. Makefile.nacl
  27. OWNERS
  28. PRESUBMIT.py
  29. README.md
  30. snapshot_toolchain.gni
  31. WATCHLISTS
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned on the V8 wiki.