AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Fix HConstants with Smi-ranged HeapNumber values

Browse Source 
BUG=chromium:349878
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/186123003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19693 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
jkummerow@chromium.org 2014-03-06 16:21:09 +00:00
parent 5af7d10af5
commit 1cc0bafc07
2 changed files with 43 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/hydrogen-instructions.cc
View File

@ -2562,7 +2562,11 @@ HConstant::HConstant(int32_t integer_value,
boolean_value_(integer_value != 0),
int32_value_(integer_value),
double_value_(FastI2D(integer_value)) {
set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber());
// It's possible to create a constant with a value in Smi-range but stored
// in a (pre-existing) HeapNumber. See crbug.com/349878.
bool could_be_heapobject = r.IsTagged() && !object.handle().is_null();
bool is_smi = has_smi_value_ && !could_be_heapobject;
set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
Initialize(r);
}
@ -2582,7 +2586,11 @@ HConstant::HConstant(double double_value,
int32_value_(DoubleToInt32(double_value)),
double_value_(double_value) {
has_smi_value_ = has_int32_value_ && Smi::IsValid(int32_value_);
set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber());
// It's possible to create a constant with a value in Smi-range but stored
// in a (pre-existing) HeapNumber. See crbug.com/349878.
bool could_be_heapobject = r.IsTagged() && !object.handle().is_null();
bool is_smi = has_smi_value_ && !could_be_heapobject;
set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
Initialize(r);
}

33
test/mjsunit/regress/regress-crbug-349878.js Normal file
View File

@ -0,0 +1,33 @@
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(a, b) {
a == b;
}
f({}, {});
var a = { y: 1.5 };
a.y = 777;
var b = a.y;
function h() {
var d = 1;
var e = 777;
while (d-- > 0) e++;
f(1, e);
}
var global;
function g() {
global = b;
return h(b);
}
g();
g();
%OptimizeFunctionOnNextCall(g);
g();