Revision: 2532 Author: [email protected] Date: Fri Jul 24 00:22:24 2009 Log: Push revisions 2523, 2527 and 2528 to 1.1 branch to fix bug where a floating-point number could be interpreted as a string. Review URL: http://codereview.chromium.org/159341 http://code.google.com/p/v8/source/detail?r=2532
Added: /branches/1.1/test/mjsunit/regress/regress-155924.js Modified: /branches/1.1/src/api.cc /branches/1.1/src/ic-ia32.cc ======================================= --- /dev/null +++ /branches/1.1/test/mjsunit/regress/regress-155924.js Fri Jul 24 00:22:24 2009 @@ -0,0 +1,46 @@ +// Copyright 2009 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// A HeapNumber with certain bits in the mantissa of the floating point +// value should not be able to masquerade as a string in a keyed lookup +// inline cache stub. See http://codereview.chromium.org/155924. + +A = [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ]; + +function foo() { + x = 1 << 26; + x = x * x; + // The following floating-point heap number has a second word similar + // to that of the string "5": + // 2^52 + index << cached_index_shift + cached_index_tag + x = x + (5 << 2) + (1 << 1); + return A[x]; +} + +assertEquals(undefined, foo(), "First lookup A[bad_float]"); +assertEquals(undefined, foo(), "Second lookup A[bad_float]"); +assertEquals(undefined, foo(), "Third lookup A[bad_float]"); ======================================= --- /branches/1.1/src/api.cc Tue Jun 23 00:47:04 2009 +++ /branches/1.1/src/api.cc Fri Jul 24 00:22:24 2009 @@ -2373,7 +2373,7 @@ const char* v8::V8::GetVersion() { - return "1.1.10.14"; + return "1.1.10.15"; } ======================================= --- /branches/1.1/src/ic-ia32.cc Thu Mar 12 00:19:55 2009 +++ /branches/1.1/src/ic-ia32.cc Fri Jul 24 00:22:24 2009 @@ -42,6 +42,10 @@ // Helper function used to load a property from a dictionary backing storage. +// This function may return false negatives, so miss_label +// must always call a backup property load that is complete. +// This function is safe to call if the receiver has fast properties, +// or if name is not a symbol, and will jump to the miss_label in that case. static void GenerateDictionaryLoad(MacroAssembler* masm, Label* miss_label, Register r0, Register r1, Register r2, Register name) { @@ -55,7 +59,7 @@ // // r2 - used to hold the capacity of the property dictionary. // - // name - holds the name of the property and is unchanges. + // name - holds the name of the property and is unchanged. Label done; @@ -255,15 +259,22 @@ __ bind(&slow); __ IncrementCounter(&Counters::keyed_load_generic_slow, 1); KeyedLoadIC::Generate(masm, ExternalReference(Runtime::kKeyedGetProperty)); - // Check if the key is a symbol that is not an array index. + __ bind(&check_string); + // The key is not a smi. + // Is it a string? + __ CmpObjectType(eax, FIRST_NONSTRING_TYPE, edx); + __ j(above_equal, &slow); + // Is the string an array index, with cached numeric value? __ mov(ebx, FieldOperand(eax, String::kLengthOffset)); __ test(ebx, Immediate(String::kIsArrayIndexMask)); __ j(not_zero, &index_string, not_taken); - __ mov(ebx, FieldOperand(eax, HeapObject::kMapOffset)); - __ movzx_b(ebx, FieldOperand(ebx, Map::kInstanceTypeOffset)); + + // If the string is a symbol, do a quick inline probe of the receiver's + // dictionary, if it exists. + __ movzx_b(ebx, FieldOperand(edx, Map::kInstanceTypeOffset)); __ test(ebx, Immediate(kIsSymbolMask)); - __ j(not_zero, &slow, not_taken); + __ j(zero, &slow, not_taken); // Probe the dictionary leaving result in ecx. GenerateDictionaryLoad(masm, &slow, ebx, ecx, edx, eax); GenerateCheckNonFunctionOrLoaded(masm, &slow, ecx, edx); --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
