Reviewers: Hannes Payer,
Message:
PTAL
Description:
[turbofan] Fix missing ChangeUint32ToUint64 in lowering of LoadBuffer.
TEST=mjsunit/compiler/regress-444695
BUG=chromium:444695
LOG=y
Please review this at https://codereview.chromium.org/824843002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+11, -10 lines):
M src/compiler/simplified-lowering.cc
A + test/mjsunit/compiler/regress-444695.js
Index: src/compiler/simplified-lowering.cc
diff --git a/src/compiler/simplified-lowering.cc
b/src/compiler/simplified-lowering.cc
index
c4b1b57d1fb0804ce16e50cb69856ced06e3f6e8..74ddb53dd1d9142aa8463858aeadcd21b02afe6c
100644
--- a/src/compiler/simplified-lowering.cc
+++ b/src/compiler/simplified-lowering.cc
@@ -1147,14 +1147,18 @@ void SimplifiedLowering::DoLoadBuffer(Node* node,
MachineType output_type,
Node* const length = node->InputAt(2);
Node* const effect = node->InputAt(3);
Node* const control = node->InputAt(4);
+ Node* const index =
+ machine()->Is64()
+ ? graph()->NewNode(machine()->ChangeUint32ToUint64(), offset)
+ : offset;
Node* check = graph()->NewNode(machine()->Uint32LessThan(), offset,
length);
Node* branch =
graph()->NewNode(common()->Branch(BranchHint::kTrue), check,
control);
Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
- Node* etrue = graph()->NewNode(machine()->Load(type), buffer, offset,
- effect, if_true);
+ Node* etrue =
+ graph()->NewNode(machine()->Load(type), buffer, index, effect,
if_true);
Node* vtrue = changer->GetRepresentationFor(etrue, type, output_type);
Node* if_false = graph()->NewNode(common()->IfFalse(), branch);
Index: test/mjsunit/compiler/regress-444695.js
diff --git a/test/mjsunit/compiler/regress-443744.js
b/test/mjsunit/compiler/regress-444695.js
similarity index 55%
copy from test/mjsunit/compiler/regress-443744.js
copy to test/mjsunit/compiler/regress-444695.js
index
5e7f3bc9dbd50cf112e278248e39e78cd3d5374c..168ae25c7052d8abbe47bac9b571bac1b2eceb3a
100644
--- a/test/mjsunit/compiler/regress-443744.js
+++ b/test/mjsunit/compiler/regress-444695.js
@@ -2,13 +2,10 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-var m = (function(stdlib, foreign, heap) {
+var foo = (function(stdlib, foreign, heap) {
"use asm";
var MEM = new stdlib.Uint8Array(heap);
- function f(x) {
- x = x | 0;
- MEM[x] = 0;
- }
- return {f: f};
-})(this, {}, new ArrayBuffer(1));
-m.f(-926416896 * 32 * 1024);
+ function foo(x) { MEM[x | 0] *= 0; }
+ return {foo: foo};
+})(this, {}, new ArrayBuffer(1)).foo;
+foo(-926416896 * 8 * 1024);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
