b8b6075021
Loop variable analysis doesn't recognize that the initial type of the loop variable phi combined with the increment type may produce a NaN result through the addition of two infinities of differing sign. This leads to unreachable code and a SIGINT crash. The fix is to consider this case before typing the loop variable phi, falling back to more conservative typing if discovered. R=neis@chromium.org Bug: chromium:1028863 Change-Id: Ic4b5189c4c50c5bbe29e46050de630fd0673de9f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1946352 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#65291}
25 lines
552 B
JavaScript
25 lines
552 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function write(begin, end, step) {
|
|
for (var i = begin; i >= end; i += step) {
|
|
step = end - begin;
|
|
begin >>>= 805306382;
|
|
}
|
|
}
|
|
|
|
function bar() {
|
|
for (let i = 0; i < 10000; i++) {
|
|
write(Infinity, 1, 1);
|
|
}
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(write);
|
|
%PrepareFunctionForOptimization(bar);
|
|
bar();
|
|
%OptimizeFunctionOnNextCall(bar);
|
|
bar();
|