From 63fa99798bc22e511c8feb3294f721ef58b18d9a Mon Sep 17 00:00:00 2001 From: Jaroslav Sevcik Date: Mon, 29 Apr 2019 10:48:17 +0200 Subject: [PATCH] Merged: [turbofan] Fix bounds check for the 'in' operator on typed arrays. Revision: d2bfdafe200f4d100fc2ffbf5d6b5d1a542bf1f7 BUG=chromium:952586 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=neis@chromium.org Change-Id: I2cd0e656a0720be737574f0b4d748cad40c84b2b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587380 Reviewed-by: Georg Neis Commit-Queue: Jaroslav Sevcik Cr-Commit-Position: refs/branch-heads/7.5@{#8} Cr-Branched-From: 35b9bf5cf697b1c0fe4313c1313782d626d2afaa-refs/heads/7.5.288@{#1} Cr-Branched-From: 912b3912b4fc294083fadcac672571bb43c2f37e-refs/heads/master@{#60911} --- src/compiler/js-native-context-specialization.cc | 2 +- test/mjsunit/compiler/regress-952586.js | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/compiler/regress-952586.js diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc index 4308903c9d1..dea47cc0966 100644 --- a/src/compiler/js-native-context-specialization.cc +++ b/src/compiler/js-native-context-specialization.cc @@ -2661,7 +2661,7 @@ JSNativeContextSpecialization::BuildElementAccess( // below are performed on unsigned values, which means that all the // Negative32 values are treated as out-of-bounds. index = graph()->NewNode(simplified()->NumberToUint32(), index); - } else if (access_mode != AccessMode::kHas) { + } else { // Check that the {index} is in the valid range for the {receiver}. index = effect = graph()->NewNode(simplified()->CheckBounds(VectorSlotPair()), index, diff --git a/test/mjsunit/compiler/regress-952586.js b/test/mjsunit/compiler/regress-952586.js new file mode 100644 index 00000000000..0a17ed76820 --- /dev/null +++ b/test/mjsunit/compiler/regress-952586.js @@ -0,0 +1,15 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +a = new Int8Array(1); + +function f(i) { + return i in a; +} + +assertTrue(f(0)); +%OptimizeFunctionOnNextCall(f); +assertFalse(f(-1));