ba1b2cc09a
SL's VisitSpeculativeIntegerAdditiveOp was setting Signed32 as restriction type even when relying on a Word32 truncation in order to skip the overflow check. This is not sound. Bug: chromium:1150649 Change-Id: I3113a2102c62d6ecef342c98d25daf31431c01ed Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557498 Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71364}
25 lines
662 B
JavaScript
25 lines
662 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function foo(a) {
|
|
var y = 0x7fffffff; // 2^31 - 1
|
|
|
|
// Widen the static type of y (this condition never holds).
|
|
if (a == NaN) y = NaN;
|
|
|
|
// The next condition holds only in the warmup run. It leads to Smi
|
|
// (SignedSmall) feedback being collected for the addition below.
|
|
if (a) y = -1;
|
|
|
|
const z = (y + 1)|0;
|
|
return z < 0;
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(foo);
|
|
assertFalse(foo(true));
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
assertTrue(foo(false));
|