From c7d2adc0a28c7eb83bb0ce898235b760cb01d394 Mon Sep 17 00:00:00 2001
From: bmeurer <bmeurer@chromium.org>
Date: Thu, 21 Jan 2016 23:54:40 -0800
Subject: [PATCH] [crankshaft] For-in index increment cannot overflow.

The internal index used to implement for-in can never leave the
valid smi range, so there's no need to actually check for overflow
in Crankshaft. In fact the overflow only triggered a false alert
in the deopt fuzzer.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1621623002

Cr-Commit-Position: refs/heads/master@{#33456}
---
 src/crankshaft/hydrogen.cc             |  5 ++++-
 test/mjsunit/regress/regress-3650-1.js | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-3650-1.js

diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc
index c7185c98f2..f56f362f3a 100644
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@@ -5444,7 +5444,10 @@ void HOptimizedGraphBuilder::BuildForInBody(ForInStatement* stmt,
     set_current_block(body_exit);
 
     HValue* current_index = Pop();
-    Push(AddUncasted<HAdd>(current_index, graph()->GetConstant1()));
+    HValue* increment =
+        AddUncasted<HAdd>(current_index, graph()->GetConstant1());
+    increment->ClearFlag(HValue::kCanOverflow);
+    Push(increment);
     body_exit = current_block();
   }
 
diff --git a/test/mjsunit/regress/regress-3650-1.js b/test/mjsunit/regress/regress-3650-1.js
new file mode 100644
index 0000000000..db91ec2d4e
--- /dev/null
+++ b/test/mjsunit/regress/regress-3650-1.js
@@ -0,0 +1,22 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --deopt-every-n-times=55
+// Flags: --nodead-code-elimination
+
+function f(t) {
+  var result = [];
+  for (var i in t) {
+    for (var j in t) {
+      result.push(i + j + t[i] + t[j]);
+      continue;
+    }
+  }
+  return result.join('');
+}
+
+var t = {a: "1", b: "2"};
+assertEquals("aa11ab12ba21bb22", f(t));
+%OptimizeFunctionOnNextCall(f);
+assertEquals("aa11ab12ba21bb22", f(t));