[turbofan] Fix invalid bounds check with overflowing offset.

TEST=mjsunit/compiler/regress-445267
BUG=chromium:445267
LOG=y

Review URL: https://codereview.chromium.org/825403002

Cr-Commit-Position: refs/heads/master@{#25945}

diff --git a/src/compiler/x64/instruction-selector-x64.cc b/src/compiler/x64/instruction-selector-x64.cc
index 2dfd401..aba480d 100644 (file)
--- a/src/compiler/x64/instruction-selector-x64.cc
+++ b/src/compiler/x64/instruction-selector-x64.cc
@@ -237,6 +237,7 @@ void InstructionSelector::VisitCheckedLoad(Node* node) {
     Int32Matcher mlength(length);
     Int32BinopMatcher moffset(offset);
     if (mlength.HasValue() && moffset.right().HasValue() &&
+        moffset.right().Value() >= 0 &&
         mlength.Value() >= moffset.right().Value()) {
       Emit(opcode, g.DefineAsRegister(node), g.UseRegister(buffer),
            g.UseRegister(moffset.left().node()),
@@ -285,6 +286,7 @@ void InstructionSelector::VisitCheckedStore(Node* node) {
     Int32Matcher mlength(length);
     Int32BinopMatcher moffset(offset);
     if (mlength.HasValue() && moffset.right().HasValue() &&
+        moffset.right().Value() >= 0 &&
         mlength.Value() >= moffset.right().Value()) {
       Emit(opcode, nullptr, g.UseRegister(buffer),
            g.UseRegister(moffset.left().node()),

diff --git a/test/mjsunit/compiler/regress-445267.js b/test/mjsunit/compiler/regress-445267.js
new file mode 100644 (file)
index 0000000..465168b
--- /dev/null
+++ b/test/mjsunit/compiler/regress-445267.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var foo = (function Module(stdlib, foreign, heap) {
+  "use asm";
+  var MEM16 = new stdlib.Int16Array(heap);
+  function foo(i) {
+    i = i|0;
+    i = MEM16[i + 2147483650 >> 1]|0;
+    return i;
+  }
+  return { foo: foo };
+})(this, {}, new ArrayBuffer(64 * 1024)).foo;
+
+foo(0);