[turbofan] Bailout if LoadBuffer typing assumption doesn't hold.

The LoadBuffer operator that is used for asm.js heap access claims to
return only the appropriate typed array type, but out of bounds access
could make it return undefined. So far we tried to "repair" the graph
later if we see that our assumption was wrong, and for various reasons
that worked for some time. But now that wrong type information that is
propagated earlier is picked up appropriately and thus we generate wrong
code, i.e. we in the repro case we feed NaN into ChangeFloat64Uint32 and
thus get 2147483648 instead of 0 (with proper JS truncation).

This was always considered a temporary hack until we have a proper
asm.js pipeline, but since we still run asm.js through the generic
JavaScript pipeline, we have to address this now. Quickfix is to just
bailout from the pipeline when we see that the LoadBuffer type was
wrong, i.e. the result of LoadBuffer is not properly truncated and thus
undefined or NaN would be observable.

R=mstarzinger@chromium.org, jarin@chromium.org
BUG=chromium:589792
LOG=y

Review URL: https://codereview.chromium.org/1740123002

Cr-Commit-Position: refs/heads/master@{#34322}
6 files changed
tree: 53455e1113b8eb6badb628d1bf418cff1a06a72f
  1. .clang-format
  2. .gitignore
  3. .ycm_extra_conf.py
  4. AUTHORS
  5. BUILD.gn
  6. ChangeLog
  7. DEPS
  8. LICENSE
  9. LICENSE.strongtalk
  10. LICENSE.v8
  11. LICENSE.valgrind
  12. Makefile
  13. Makefile.android
  14. Makefile.nacl
  15. OWNERS
  16. PRESUBMIT.py
  17. README.md
  18. WATCHLISTS
  19. benchmarks/
  20. build/
  21. codereview.settings
  22. docs/
  23. include/
  24. infra/
  25. samples/
  26. snapshot_toolchain.gni
  27. src/
  28. test/
  29. testing/
  30. third_party/
  31. tools/
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned on the V8 wiki.