[turbofan] Fix typed lowering of JSToLength.
When lowering JSToLength, we cannot just smash arbitrary bounds on the Select nodes, as that will confuse the representation selection later. Instead properly rename the input using NumberMax and NumberMin. R=jarin@chromium.org BUG=chromium:657478 Review-Url: https://codereview.chromium.org/2440333002 Cr-Commit-Position: refs/heads/master@{#40519}
This commit is contained in:
parent
a2d4a7932e
commit
a58d7907ea
@ -983,23 +983,12 @@ Reduction JSTypedLowering::ReduceJSToLength(Node* node) {
|
||||
input = jsgraph()->Constant(kMaxSafeInteger);
|
||||
} else {
|
||||
if (input_type->Min() <= 0.0) {
|
||||
input = graph()->NewNode(
|
||||
common()->Select(MachineRepresentation::kTagged),
|
||||
graph()->NewNode(simplified()->NumberLessThanOrEqual(), input,
|
||||
jsgraph()->ZeroConstant()),
|
||||
jsgraph()->ZeroConstant(), input);
|
||||
input_type = Type::Range(0.0, input_type->Max(), graph()->zone());
|
||||
NodeProperties::SetType(input, input_type);
|
||||
input = graph()->NewNode(simplified()->NumberMax(),
|
||||
jsgraph()->ZeroConstant(), input);
|
||||
}
|
||||
if (input_type->Max() > kMaxSafeInteger) {
|
||||
input = graph()->NewNode(
|
||||
common()->Select(MachineRepresentation::kTagged),
|
||||
graph()->NewNode(simplified()->NumberLessThanOrEqual(),
|
||||
jsgraph()->Constant(kMaxSafeInteger), input),
|
||||
jsgraph()->Constant(kMaxSafeInteger), input);
|
||||
input_type =
|
||||
Type::Range(input_type->Min(), kMaxSafeInteger, graph()->zone());
|
||||
NodeProperties::SetType(input, input_type);
|
||||
input = graph()->NewNode(simplified()->NumberMin(),
|
||||
jsgraph()->Constant(kMaxSafeInteger), input);
|
||||
}
|
||||
}
|
||||
ReplaceWithValue(node, input);
|
||||
|
13
test/mjsunit/regress/regress-crbug-657478.js
Normal file
13
test/mjsunit/regress/regress-crbug-657478.js
Normal file
@ -0,0 +1,13 @@
|
||||
// Copyright 2016 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
// Flags: --allow-natives-syntax
|
||||
|
||||
function foo(o) { return %_ToLength(o.length); }
|
||||
|
||||
foo(new Array(4));
|
||||
foo(new Array(Math.pow(2, 32) - 1));
|
||||
foo({length: 10});
|
||||
%OptimizeFunctionOnNextCall(foo);
|
||||
foo({length: 10});
|
Loading…
Reference in New Issue
Block a user