Skip to content
Permalink
Browse files

[turbofan] NumberToString can return non-sequential strings.

TurboFan assumed that the output of NumberToString is always a
sequential string, since that's what we put into the number to
string table. However we might eventually morph these strings
into ThinStrings when we need to internalize them, in which case
the type in TurboFan will be wrong, and we read out of bounds.

Also-By: tebbi@chromium.org
Bug: chromium:822284
Change-Id: I5aebe73028b95849fff72bba262c517677112353
Reviewed-on: https://chromium-review.googlesource.com/964523
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51970}
  • Loading branch information...
bmeurer authored and Commit Bot committed Mar 15, 2018
1 parent 3813cbf commit c65f0a78c33452dc19b52934771ecb2c1ce3a0b8
Showing with 23 additions and 1 deletion.
  1. +1 −1 src/compiler/operation-typer.cc
  2. +22 −0 test/mjsunit/regress/regress-crbug-822284.js
@@ -510,7 +510,7 @@ Type* OperationTyper::NumberToString(Type* type) {
if (type->IsNone()) return type;
if (type->Is(Type::NaN())) return singleton_NaN_string_;
if (type->Is(cache_.kZeroOrMinusZero)) return singleton_zero_string_;
return Type::SeqString();
return Type::String();
}

Type* OperationTyper::NumberToUint32(Type* type) {
@@ -0,0 +1,22 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo(a) {
a = "" + Math.abs(a);
return a.charCodeAt(0);
}

// Add '1' to the number to string table (as SeqString).
String.fromCharCode(49);

// Turn the SeqString into a ThinString via forced internalization.
const o = {};
o[(1).toString()] = 1;

assertEquals(49, foo(1));
assertEquals(49, foo(1));
%OptimizeFunctionOnNextCall(foo);
assertEquals(49, foo(1));

0 comments on commit c65f0a7

Please sign in to comment.
You can’t perform that action at this time.