[turbofan] Fixes crash caused by truncated bigint
Bug: chromium:1028191 Change-Id: Idfcd678b3826fb6238d10f1e4195b02be35c3010 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1936468 Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#65173}
This commit is contained in:
parent
a0206daa78
commit
3ce6be0275
@ -1254,7 +1254,13 @@ class RepresentationSelector {
|
|||||||
void VisitObjectState(Node* node) {
|
void VisitObjectState(Node* node) {
|
||||||
if (propagate()) {
|
if (propagate()) {
|
||||||
for (int i = 0; i < node->InputCount(); i++) {
|
for (int i = 0; i < node->InputCount(); i++) {
|
||||||
EnqueueInput(node, i, UseInfo::Any());
|
// TODO(nicohartmann): Remove, once the deoptimizer can rematerialize
|
||||||
|
// truncated BigInts.
|
||||||
|
if (TypeOf(node->InputAt(i)).Is(Type::BigInt())) {
|
||||||
|
EnqueueInput(node, i, UseInfo::AnyTagged());
|
||||||
|
} else {
|
||||||
|
EnqueueInput(node, i, UseInfo::Any());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else if (lower()) {
|
} else if (lower()) {
|
||||||
Zone* zone = jsgraph_->zone();
|
Zone* zone = jsgraph_->zone();
|
||||||
@ -1265,6 +1271,11 @@ class RepresentationSelector {
|
|||||||
Node* input = node->InputAt(i);
|
Node* input = node->InputAt(i);
|
||||||
(*types)[i] =
|
(*types)[i] =
|
||||||
DeoptMachineTypeOf(GetInfo(input)->representation(), TypeOf(input));
|
DeoptMachineTypeOf(GetInfo(input)->representation(), TypeOf(input));
|
||||||
|
// TODO(nicohartmann): Remove, once the deoptimizer can rematerialize
|
||||||
|
// truncated BigInts.
|
||||||
|
if (TypeOf(node->InputAt(i)).Is(Type::BigInt())) {
|
||||||
|
ConvertInput(node, i, UseInfo::AnyTagged());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
NodeProperties::ChangeOp(node, jsgraph_->common()->TypedObjectState(
|
NodeProperties::ChangeOp(node, jsgraph_->common()->TypedObjectState(
|
||||||
ObjectIdOf(node->op()), types));
|
ObjectIdOf(node->op()), types));
|
||||||
|
23
test/mjsunit/regress/regress-1028191.js
Normal file
23
test/mjsunit/regress/regress-1028191.js
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
// Copyright 2019 the V8 project authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style license that can be
|
||||||
|
// found in the LICENSE file.
|
||||||
|
|
||||||
|
// Flags: --allow-natives-syntax
|
||||||
|
|
||||||
|
"use strict";
|
||||||
|
|
||||||
|
function f(a, b, c) {
|
||||||
|
let x = BigInt.asUintN(64, a + b);
|
||||||
|
try {
|
||||||
|
x + c;
|
||||||
|
} catch(_) {
|
||||||
|
eval();
|
||||||
|
}
|
||||||
|
return x;
|
||||||
|
}
|
||||||
|
|
||||||
|
%PrepareFunctionForOptimization(f);
|
||||||
|
assertEquals(f(3n, 5n), 8n);
|
||||||
|
assertEquals(f(8n, 12n), 20n);
|
||||||
|
%OptimizeFunctionOnNextCall(f);
|
||||||
|
assertEquals(f(2n, 3n), 5n);
|
Loading…
Reference in New Issue
Block a user