Fix bug in x64 immediate operand handling for smi-converting loads

Bug: chromium:802060 Change-Id: I032930af26f7eab8d5d3469ad273bdcdff85b045 Reviewed-on: https://chromium-review.googlesource.com/897723 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#51035}
2018-02-01 05:17:53 -08:00 · 2018-02-01 05:17:53 -08:00 · 9ef2ed3085
commit 9ef2ed3085
parent 51af4f58c0
2 changed files with 29 additions and 1 deletions
--- a/src/compiler/x64/instruction-selector-x64.cc
+++ b/src/compiler/x64/instruction-selector-x64.cc
@ -109,7 +109,7 @@ class X64OperandGenerator final : public OperandGenerator {
        DCHECK(scale_exponent >= 0 && scale_exponent <= 3);
        inputs[(*input_count)++] = UseRegister(index);
        if (displacement != nullptr) {
-          inputs[(*input_count)++] = displacement_mode
+          inputs[(*input_count)++] = displacement_mode == kNegativeDisplacement
                                         ? UseNegatedImmediate(displacement)
                                         : UseImmediate(displacement);
          static const AddressingMode kMRnI_modes[] = {kMode_MR1I, kMode_MR2I,
@ -717,6 +717,10 @@ bool TryMatchLoadWord64AndShiftRight(InstructionSelector* selector, Node* node,
        }
        inputs[input_count++] = ImmediateOperand(ImmediateOperand::INLINE, 4);
      } else {
+        // In the case that the base address was zero, the displacement will be
+        // in a register and replacing it with an immediate is not allowed. This
+        // usually only happens in dead code anyway.
+        if (!inputs[input_count - 1].IsImmediate()) return false;
        int32_t displacement = g.GetImmediateIntegerValue(mleft.displacement());
        inputs[input_count - 1] =
            ImmediateOperand(ImmediateOperand::INLINE, displacement + 4);
--- a/test/mjsunit/regress/regress-802060.js
+++ b/test/mjsunit/regress/regress-802060.js
@ -0,0 +1,24 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertEquals(expected, found) {
+  found.length !== expected.length;
+}
+assertEquals([], [])
+assertEquals("a", "a");
+assertEquals([], []);
+function f() {
+  assertEquals(0, undefined);
+}
+try {
+  f();
+} catch (e) {
+}
+%OptimizeFunctionOnNextCall(f);
+try {
+  f();
+} catch (e) {
+}