AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Fix fast-path of String.prototype.charAt/charCodeAt

Browse Source 
The fast-path of S.p.charAt/charCodeAt wrongly truncates the index,
i.e. charAt(k + 4294967295) yields the same as charAt(k-1). This CL
fixes this behaviour, at the cost of not providing a fast-path for
charAt(1.1), i.e. if charAt/charCodeAt is called with a Number.

Bug: chromium:800594
Change-Id: Ic8e749380d3118f0c9469eb626e81bf72cf09fec
Reviewed-on: https://chromium-review.googlesource.com/860003
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50497}
This commit is contained in:
Sigurd Schneider 2018-01-11 09:38:47 +01:00 committed by Commit Bot
parent d44f75f5c8
commit c5cc568ba1
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/compiler/js-call-reducer.cc
View File

@ -3985,7 +3985,7 @@ Reduction JSCallReducer::ReduceStringPrototypeCharAt(Node* node) {
receiver = effect = graph()->NewNode(simplified()->CheckString(p.feedback()),
receiver, effect, control);
if (node->op()->ValueInputCount() >= 3) {
index = effect = graph()->NewNode(simplified()->CheckNumber(p.feedback()),
index = effect = graph()->NewNode(simplified()->CheckSmi(p.feedback()),
NodeProperties::GetValueInput(node, 2),
effect, control);
// Map -0 and NaN to 0 (as per ToInteger), and the values in
@ -4043,7 +4043,7 @@ Reduction JSCallReducer::ReduceStringPrototypeCharCodeAt(Node* node) {
receiver = effect = graph()->NewNode(simplified()->CheckString(p.feedback()),
receiver, effect, control);
if (node->op()->ValueInputCount() >= 3) {
index = effect = graph()->NewNode(simplified()->CheckNumber(p.feedback()),
index = effect = graph()->NewNode(simplified()->CheckSmi(p.feedback()),
NodeProperties::GetValueInput(node, 2),
effect, control);

4
test/mjsunit/constant-folding-2.js
View File

@ -33,8 +33,6 @@ function test(f) {
f();
%OptimizeFunctionOnNextCall(f);
f();
// Assert that there has been no deopt.
assertOptimized(f);
}
test(function add() {
@ -234,6 +232,7 @@ test(function stringCharCodeAt() {
assertEquals("NaN", String("abc".charCodeAt(4)));
assertEquals(98, "abc".charCodeAt(1.1));
assertEquals("NaN", String("abc".charCodeAt(4.1)));
assertEquals("NaN", String("abc".charCodeAt(1 + 4294967295)));
});
test(function stringCharAt() {
@ -242,6 +241,7 @@ test(function stringCharAt() {
assertEquals("", "abc".charAt(4));
assertEquals("b", "abc".charAt(1.1));
assertEquals("", "abc".charAt(4.1));
assertEquals("", String("abc".charAt(1 + 4294967295)));
});