[v8-dev] Re: Issue 2306 in v8: Unexpected bounds-check bailout accesing Int8Array

[codesite-noreply]

Comment #2 on issue 2306 by paul.hol...@gmail.com: Unexpected bounds-check  
bailout accesing Int8Array
http://code.google.com/p/v8/issues/detail?id=2306
    0xbffb435c: [top + 16] <- 0x49e3b77d ; ebx 0x49e3b77d <Number: 1799618>
which indicates that index is a tagged HeapNumber, not a smi.
Here is a somewhat artificial example I came up with:

Ah - I missed that that was a HeapNumber. I do some odd arithmetic to try  
and avoid deopts that were coming from address calculations, hence this:

        var regs = new Int32Array(32);
        ...
        var addr = regs[base] + offset;
        if (addr >= -2147483648 && addr < -2139095040) {
                value = lhu(arr, addr + 0x80000000);
        }

rather than this:

        var regs = new Uint32Array(32);
        ...
        var addr = regs[base] + offset;
        if (addr >= 0x80000000 && addr < 0x80800000) {
                value = lhu(arr, addr);
        }

I wonder if this odd arithmetic means that sometimes HeapNumbers are  
generated, and other times SMIs? It's definitely testing some edge cases.

A bit more background might be useful, I dynamically generate some  
specialised JS for each memory access, hard-coding the base+offset in each  
case. So I have dozens of fragments like this:

function op_0x8027f538_0x94ea0000(c,ram) {
  .. preamble omitted
  var value;
  var addr = c.gprLo_signed[7] + 0;
  if (addr >= -2147483648 && addr < -2139095040) {
    value = lhu(ram, addr + 0x80000000);
  } else {
    value = n64js.readMemoryU16(addr>>>0);
  }
  c.gprLo_signed[10] = value;
  c.gprHi_signed[10] = 0;
  //postamble emitted...
  return 0;
};

So I'm wondering if some of these end up generating SMIs, and others  
HeapNumbers. The code to calculate addr should be identical though, so I  
can't think what the difference might be (other than whether the fragment  
has been optimised or not).


Can you attach hydrogen representation for lhu that deopts to the issue  
so that we can try to relate it with my artificial one?

Attached as lhu_hydrogen.txt - is this what you needed? In case this isn't  
what you're looking for, I've attached the complete hydrogen.cfg from a  
short session.

Can you also try to beef up assertions in the lhu to check that a is a  
number (typeof a === "number") and not a minus zero (a !== 0 || (1/a) ===  
(1/0)).

I did this and still see no assertions fire.


Attachments:
        lhu_hydrogen.txt  4.8 KB
        hydrogen.cfg.gz  850 KB

--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev