AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Fix typed lowering of JSToLength.

Browse Source 
When lowering JSToLength, we cannot just smash arbitrary bounds on the
Select nodes, as that will confuse the representation selection later.
Instead properly rename the input using NumberMax and NumberMin.

R=jarin@chromium.org
BUG=chromium:657478

Review-Url: https://codereview.chromium.org/2440333002
Cr-Commit-Position: refs/heads/master@{#40519}
This commit is contained in:
bmeurer 2016-10-23 23:36:41 -07:00 committed by Commit bot
parent a2d4a7932e
commit a58d7907ea
2 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/compiler/js-typed-lowering.cc
View File

@ -983,23 +983,12 @@ Reduction JSTypedLowering::ReduceJSToLength(Node* node) {
input = jsgraph()->Constant(kMaxSafeInteger); input = jsgraph()->Constant(kMaxSafeInteger);
} else { } else {
if (input_type->Min() <= 0.0) { if (input_type->Min() <= 0.0) {
input = graph()->NewNode( input = graph()->NewNode(simplified()->NumberMax(),
common()->Select(MachineRepresentation::kTagged), jsgraph()->ZeroConstant(), input);
graph()->NewNode(simplified()->NumberLessThanOrEqual(), input,
jsgraph()->ZeroConstant()),
jsgraph()->ZeroConstant(), input);
input_type = Type::Range(0.0, input_type->Max(), graph()->zone());
NodeProperties::SetType(input, input_type);
} }
if (input_type->Max() > kMaxSafeInteger) { if (input_type->Max() > kMaxSafeInteger) {
input = graph()->NewNode( input = graph()->NewNode(simplified()->NumberMin(),
common()->Select(MachineRepresentation::kTagged), jsgraph()->Constant(kMaxSafeInteger), input);
graph()->NewNode(simplified()->NumberLessThanOrEqual(),
jsgraph()->Constant(kMaxSafeInteger), input),
jsgraph()->Constant(kMaxSafeInteger), input);
input_type =
Type::Range(input_type->Min(), kMaxSafeInteger, graph()->zone());
NodeProperties::SetType(input, input_type);
} }
} }
ReplaceWithValue(node, input); ReplaceWithValue(node, input);

13
test/mjsunit/regress/regress-crbug-657478.js Normal file
View File

@ -0,0 +1,13 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(o) { return %_ToLength(o.length); }
foo(new Array(4));
foo(new Array(Math.pow(2, 32) - 1));
foo({length: 10});
%OptimizeFunctionOnNextCall(foo);
foo({length: 10});