Enforce correct number comparisons when inlining Array.indexOf.

TEST=mjsunit/regress/regress-crbug-407946 BUG=407946 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/536393003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-04 12:25:57 +00:00 · 2014-09-04 12:25:57 +00:00 · 0baf275e20
commit 0baf275e20
parent da167d747f
2 changed files with 20 additions and 6 deletions
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -8808,6 +8808,12 @@ HValue* HOptimizedGraphBuilder::BuildArrayIndexOf(HValue* receiver,

  Push(graph()->GetConstantMinus1());
  if (IsFastDoubleElementsKind(kind) || IsFastSmiElementsKind(kind)) {
+    // Make sure that we can actually compare numbers correctly below, see
+    // https://code.google.com/p/chromium/issues/detail?id=407946 for details.
+    search_element = AddUncasted<HForceRepresentation>(
+        search_element, IsFastSmiElementsKind(kind) ? Representation::Smi()
+                                                    : Representation::Double());
+
    LoopBuilder loop(this, context(), direction);
    {
      HValue* index = loop.BeginBody(initial, terminating, token);
@ -8815,12 +8821,8 @@ HValue* HOptimizedGraphBuilder::BuildArrayIndexOf(HValue* receiver,
          elements, index, static_cast<HValue*>(NULL),
          kind, ALLOW_RETURN_HOLE);
      IfBuilder if_issame(this);
-      if (IsFastDoubleElementsKind(kind)) {
-        if_issame.If<HCompareNumericAndBranch>(
-            element, search_element, Token::EQ_STRICT);
-      } else {
-        if_issame.If<HCompareObjectEqAndBranch>(element, search_element);
-      }
+      if_issame.If<HCompareNumericAndBranch>(element, search_element,
+                                             Token::EQ_STRICT);
      if_issame.Then();
      {
        Drop(1);
--- a/test/mjsunit/regress/regress-crbug-407946.js
+++ b/test/mjsunit/regress/regress-crbug-407946.js
@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(n) { return [0].indexOf((n - n) + 0); }
+
+assertEquals(0, f(.1));
+assertEquals(0, f(.1));
+%OptimizeFunctionOnNextCall(f);
+assertEquals(0, f(.1));