[v8-dev] Fix harmless HGraph verification failure after hoisting inlined bounds checks (issue 1133343003 by jkummerow@chromium.org)

[jkummerow]

Reviewers: Yang,

Message:
PTAL.
Description:
Fix harmless HGraph verification failure after hoisting inlined bounds  
checks

BUG=chromium:487608
LOG=y
R=yang...@chromium.org

Please review this at https://codereview.chromium.org/1133343003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+30, -0 lines):
  M src/hydrogen-bce.cc
  A test/mjsunit/regress/regress-crbug-487608.js


Index: src/hydrogen-bce.cc
diff --git a/src/hydrogen-bce.cc b/src/hydrogen-bce.cc
index  
729317eec67776d1c0ec689634c262a453fed3ca..48c1f770d80797fee5d195906f52e7eb11ea67ef  
100644
--- a/src/hydrogen-bce.cc
+++ b/src/hydrogen-bce.cc
@@ -231,12 +231,15 @@ class BoundsCheckBbData: public ZoneObject {
           HArithmeticBinaryOperation::cast(index_raw);
       HValue* left_input = index->left();
       HValue* right_input = index->right();
+      HValue* context = index->context();
       bool must_move_index = false;
       bool must_move_left_input = false;
       bool must_move_right_input = false;
+      bool must_move_context = false;
       for (HInstruction* cursor = end_of_scan_range; cursor !=  
insert_before;) {
         if (cursor == left_input) must_move_left_input = true;
         if (cursor == right_input) must_move_right_input = true;
+        if (cursor == context) must_move_context = true;
         if (cursor == index) must_move_index = true;
         if (cursor->previous() == NULL) {
           cursor = cursor->block()->dominator()->end();
@@ -258,6 +261,11 @@ class BoundsCheckBbData: public ZoneObject {
         HConstant::cast(right_input)->Unlink();
         HConstant::cast(right_input)->InsertBefore(index);
       }
+      if (must_move_context) {
+        // Contexts are always constants.
+        HConstant::cast(context)->Unlink();
+        HConstant::cast(context)->InsertBefore(index);
+      }
     } else if (index_raw->IsConstant()) {
       HConstant* index = HConstant::cast(index_raw);
       bool must_move = false;
Index: test/mjsunit/regress/regress-crbug-487608.js
diff --git a/test/mjsunit/regress/regress-crbug-487608.js  
b/test/mjsunit/regress/regress-crbug-487608.js
new file mode 100644
index  
0000000000000000000000000000000000000000..c1eafce5efe9b945038ef8fb28e34d067d611f5e
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-487608.js
@@ -0,0 +1,22 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function inlined(a, i) {
+  return a[i + 1];
+}
+
+function foo(index) {
+  var a = [0, 1, 2, 3];
+  var result = 0;
+  result += a[index];
+  result += inlined(a, index);
+  return result;
+}
+
+foo(0);
+foo(0);
+%OptimizeFunctionOnNextCall(foo);
+foo(0);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.