Reviewers: Toon Verwaest,
Message:
PTAL.
Description:
[x64] Fix handling of Smi constants in LSubI and LBitI
Smi immediates are not supported, so instructions with Smi representations
need
their constants in a register. LAddI has already been doing this. The
manifestation of the bug was that an operation would compute 0 instead of
the
correct result.
BUG=chromium:478612
LOG=y
[email protected]
Please review this at https://codereview.chromium.org/1224623017/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+66, -2 lines):
M src/x64/lithium-x64.cc
A test/mjsunit/regress/regress-crbug-478612.js
Index: src/x64/lithium-x64.cc
diff --git a/src/x64/lithium-x64.cc b/src/x64/lithium-x64.cc
index
8f37505527f607eeab6db522f3357bcb342717d7..3c150e21c91d8abc494fdceed031b3801d0c0680
100644
--- a/src/x64/lithium-x64.cc
+++ b/src/x64/lithium-x64.cc
@@ -1307,7 +1307,13 @@ LInstruction* LChunkBuilder::DoBitwise(HBitwise*
instr) {
DCHECK(instr->CheckFlag(HValue::kTruncatingToInt32));
LOperand* left = UseRegisterAtStart(instr->BetterLeftOperand());
- LOperand* right = UseOrConstantAtStart(instr->BetterRightOperand());
+ LOperand* right;
+ if (SmiValuesAre32Bits() && instr->representation().IsSmi()) {
+ // We don't support tagged immediates, so we request it in a
register.
+ right = UseRegisterAtStart(instr->BetterRightOperand());
+ } else {
+ right = UseOrConstantAtStart(instr->BetterRightOperand());
+ }
return DefineSameAsFirst(new(zone()) LBitI(left, right));
} else {
return DoArithmeticT(instr->op(), instr);
@@ -1549,7 +1555,13 @@ LInstruction* LChunkBuilder::DoSub(HSub* instr) {
DCHECK(instr->left()->representation().Equals(instr->representation()));
DCHECK(instr->right()->representation().Equals(instr->representation()));
LOperand* left = UseRegisterAtStart(instr->left());
- LOperand* right = UseOrConstantAtStart(instr->right());
+ LOperand* right;
+ if (SmiValuesAre32Bits() && instr->representation().IsSmi()) {
+ // We don't support tagged immediates, so we request it in a
register.
+ right = UseRegisterAtStart(instr->right());
+ } else {
+ right = UseOrConstantAtStart(instr->right());
+ }
LSubI* sub = new(zone()) LSubI(left, right);
LInstruction* result = DefineSameAsFirst(sub);
if (instr->CheckFlag(HValue::kCanOverflow)) {
Index: test/mjsunit/regress/regress-crbug-478612.js
diff --git a/test/mjsunit/regress/regress-crbug-478612.js
b/test/mjsunit/regress/regress-crbug-478612.js
new file mode 100644
index
0000000000000000000000000000000000000000..3419722cd018d9c5757165a74b4109f0a7d97418
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-478612.js
@@ -0,0 +1,52 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// This is used to force binary operations below to have tagged
representation.
+var z = {valueOf: function() { return 3; }};
+
+
+function f() {
+ var y = -2;
+ return (1 & z) - y++;
+}
+
+assertEquals(3, f());
+assertEquals(3, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(3, f());
+
+
+function g() {
+ var y = 2;
+ return (1 & z) | y++;
+}
+
+assertEquals(3, g());
+assertEquals(3, g());
+%OptimizeFunctionOnNextCall(g);
+assertEquals(3, g());
+
+
+function h() {
+ var y = 3;
+ return (3 & z) & y++;
+}
+
+assertEquals(3, h());
+assertEquals(3, h());
+%OptimizeFunctionOnNextCall(h);
+assertEquals(3, h());
+
+
+function i() {
+ var y = 2;
+ return (1 & z) ^ y++;
+}
+
+assertEquals(3, i());
+assertEquals(3, i());
+%OptimizeFunctionOnNextCall(i);
+assertEquals(3, i());
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
