[crankshaft] Range analysis should not rely on overflowed ranges.

BUG=chromium:645438 Review-Url: https://codereview.chromium.org/2412853002 Cr-Commit-Position: refs/heads/master@{#40202}
2016-10-12 02:06:01 -07:00 · 2016-10-12 02:06:01 -07:00 · 9a0109d72e
commit 9a0109d72e
parent edfe391ef5
3 changed files with 37 additions and 4 deletions
--- a/src/crankshaft/hydrogen-instructions.cc
+++ b/src/crankshaft/hydrogen-instructions.cc
@ -259,7 +259,11 @@ bool Range::AddAndCheckOverflow(const Representation& r, Range* other) {
  bool may_overflow = false;
  lower_ = AddWithoutOverflow(r, lower_, other->lower(), &may_overflow);
  upper_ = AddWithoutOverflow(r, upper_, other->upper(), &may_overflow);
-  KeepOrder();
+  if (may_overflow) {
+    Clear();
+  } else {
+    KeepOrder();
+  }
 #ifdef DEBUG
  Verify();
 #endif
@ -271,13 +275,21 @@ bool Range::SubAndCheckOverflow(const Representation& r, Range* other) {
  bool may_overflow = false;
  lower_ = SubWithoutOverflow(r, lower_, other->upper(), &may_overflow);
  upper_ = SubWithoutOverflow(r, upper_, other->lower(), &may_overflow);
-  KeepOrder();
+  if (may_overflow) {
+    Clear();
+  } else {
+    KeepOrder();
+  }
 #ifdef DEBUG
  Verify();
 #endif
  return may_overflow;
 }

+void Range::Clear() {
+  lower_ = kMinInt;
+  upper_ = kMaxInt;
+}

 void Range::KeepOrder() {
  if (lower_ > upper_) {
@ -301,8 +313,12 @@ bool Range::MulAndCheckOverflow(const Representation& r, Range* other) {
  int v2 = MulWithoutOverflow(r, lower_, other->upper(), &may_overflow);
  int v3 = MulWithoutOverflow(r, upper_, other->lower(), &may_overflow);
  int v4 = MulWithoutOverflow(r, upper_, other->upper(), &may_overflow);
-  lower_ = Min(Min(v1, v2), Min(v3, v4));
-  upper_ = Max(Max(v1, v2), Max(v3, v4));
+  if (may_overflow) {
+    Clear();
+  } else {
+    lower_ = Min(Min(v1, v2), Min(v3, v4));
+    upper_ = Max(Max(v1, v2), Max(v3, v4));
+  }
 #ifdef DEBUG
  Verify();
 #endif
--- a/src/crankshaft/hydrogen-instructions.h
+++ b/src/crankshaft/hydrogen-instructions.h
@ -235,6 +235,7 @@ class Range final : public ZoneObject {
    lower_ = Max(lower_, Smi::kMinValue);
    upper_ = Min(upper_, Smi::kMaxValue);
  }
+  void Clear();
  void KeepOrder();
 #ifdef DEBUG
  void Verify() const;
--- a/test/mjsunit/regress/regress-crbug-645438.js
+++ b/test/mjsunit/regress/regress-crbug-645438.js
@ -0,0 +1,16 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function n(x,y){
+  y = (y-(0x80000000|0)|0);
+  return (x/y)|0;
+};
+var x = -0x80000000;
+var y = 0x7fffffff;
+n(x,y);
+n(x,y);
+%OptimizeFunctionOnNextCall(n);
+assertEquals(x, n(x,y));