File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -16338,9 +16338,37 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
1633816338 )
1633916339 )
1634016340 {
16341- eliminatedLowerBoundCheck = true;
16342- eliminatedUpperBoundCheck = true;
16343- canBailOutOnArrayAccessHelperCall = false;
16341+ // Unless we're in asm.js (where it is guaranteed that virtual typed array accesses cannot read/write beyond 4GB),
16342+ // check the range of the index to make sure we won't access beyond the reserved memory beforing eliminating bounds
16343+ // checks in jitted code.
16344+ if (!GetIsAsmJSFunc())
16345+ {
16346+ IR::RegOpnd * idxOpnd = baseOwnerIndir->GetIndexOpnd();
16347+ if (idxOpnd)
16348+ {
16349+ StackSym * idxSym = idxOpnd->m_sym->IsTypeSpec() ? idxOpnd->m_sym->GetVarEquivSym(nullptr) : idxOpnd->m_sym;
16350+ Value * idxValue = FindValue(idxSym);
16351+ IntConstantBounds idxConstantBounds;
16352+ if (idxValue && idxValue->GetValueInfo()->TryGetIntConstantBounds(&idxConstantBounds))
16353+ {
16354+ BYTE indirScale = Lowerer::GetArrayIndirScale(baseValueType);
16355+ int32 upperBound = idxConstantBounds.UpperBound();
16356+ int32 lowerBound = idxConstantBounds.LowerBound();
16357+ if (lowerBound >= 0 && ((static_cast<uint64>(upperBound) << indirScale) < MAX_ASMJS_ARRAYBUFFER_LENGTH))
16358+ {
16359+ eliminatedLowerBoundCheck = true;
16360+ eliminatedUpperBoundCheck = true;
16361+ canBailOutOnArrayAccessHelperCall = false;
16362+ }
16363+ }
16364+ }
16365+ }
16366+ else
16367+ {
16368+ eliminatedLowerBoundCheck = true;
16369+ eliminatedUpperBoundCheck = true;
16370+ canBailOutOnArrayAccessHelperCall = false;
16371+ }
1634416372 }
1634516373 }
1634616374
You can’t perform that action at this time.
0 commit comments