[v8-dev] Version 3.27.34.18 (merged r23691) (issue 551393004 by bmeurer@chromium.org)

[bmeurer]

Reviewers: Michael Achenbach,

Description:
Version 3.27.34.18 (merged r23691)
Enforce correct number comparisons when inlining Array.indexOf.

BUG=407946
LOG=N
R=machenb...@chromium.org

Please review this at https://codereview.chromium.org/551393004/

SVN Base: https://v8.googlecode.com/svn/branches/3.27

Affected files (+13, -15 lines):
  M src/hydrogen.cc
  M src/version.cc
  A + test/mjsunit/regress/regress-crbug-407946.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
8fff497eea9f1da5752b5af2342a3508acd7c833..09b709485b5c48be52d8f2c5c6f093d38c12cb7b  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8674,6 +8674,12 @@ HValue*  
HOptimizedGraphBuilder::BuildArrayIndexOf(HValue* receiver,

   Push(graph()->GetConstantMinus1());
   if (IsFastDoubleElementsKind(kind) || IsFastSmiElementsKind(kind)) {
+    // Make sure that we can actually compare numbers correctly below, see
+    // https://code.google.com/p/chromium/issues/detail?id=407946 for  
details.
+    search_element = AddUncasted<HForceRepresentation>(
+        search_element, IsFastSmiElementsKind(kind) ? Representation::Smi()
+                                                    :  
Representation::Double());
+
     LoopBuilder loop(this, context(), direction);
     {
       HValue* index = loop.BeginBody(initial, terminating, token);
@@ -8681,12 +8687,8 @@ HValue*  
HOptimizedGraphBuilder::BuildArrayIndexOf(HValue* receiver,
           elements, index, static_cast<HValue*>(NULL),
           kind, ALLOW_RETURN_HOLE);
       IfBuilder if_issame(this);
-      if (IsFastDoubleElementsKind(kind)) {
-        if_issame.If<HCompareNumericAndBranch>(
-            element, search_element, Token::EQ_STRICT);
-      } else {
-        if_issame.If<HCompareObjectEqAndBranch>(element, search_element);
-      }
+      if_issame.If<HCompareNumericAndBranch>(element, search_element,
+                                             Token::EQ_STRICT);
       if_issame.Then();
       {
         Drop(1);
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index  
9a294d5502a3af03fffa06a2a1c74931ee782581..20356dbeeb1e72d14c8a5287fe1a0a486ab7fba9  
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     27
 #define BUILD_NUMBER      34
-#define PATCH_LEVEL       17
+#define PATCH_LEVEL       18
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-407946.js
diff --git a/test/mjsunit/regress/regress-crbug-357330.js  
b/test/mjsunit/regress/regress-crbug-407946.js
similarity index 65%
copy from test/mjsunit/regress/regress-crbug-357330.js
copy to test/mjsunit/regress/regress-crbug-407946.js
index  
b3edf00843e1a9d202212c24d96dc3ad5d027f12..d5687cca342ca1ef4432f2fc7880588e9c3c53d9  
100644
--- a/test/mjsunit/regress/regress-crbug-357330.js
+++ b/test/mjsunit/regress/regress-crbug-407946.js
@@ -4,13 +4,9 @@

 // Flags: --allow-natives-syntax

-function f(foo) {
-  var g;
-  true ? (g = foo + 0) : g = null;
-  if (null != g) {}
-};
+function f(n) { return [0].indexOf((n - n) + 0); }

-f(1.4);
-f(1.4);
+assertEquals(0, f(.1));
+assertEquals(0, f(.1));
 %OptimizeFunctionOnNextCall(f);
-f(1.4);
+assertEquals(0, f(.1));


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.