Reviewers: Toon Verwaest,
Message:
PTAL
Description:
Fix for failing asserts in HBoundsCheck code generation on x64: use proper
cmp
operation width instead of asserting that Integer32 values should be zero
extended. Similar to chromium:345820.
BUG=349465
LOG=N
Please review this at https://codereview.chromium.org/188703002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+69, -14 lines):
M src/x64/lithium-codegen-x64.cc
A test/mjsunit/regress/regress-crbug-349465-1.js
A test/mjsunit/regress/regress-crbug-349465-2.js
Index: src/x64/lithium-codegen-x64.cc
diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index
383cf3783f25892de0f195232babf6d1f697cd3c..695fae97bdf38099fc42e613e6957b3c941e1f9f
100644
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -4025,44 +4025,51 @@ void LCodeGen::ApplyCheckIf(Condition cc,
LBoundsCheck* check) {
void LCodeGen::DoBoundsCheck(LBoundsCheck* instr) {
- if (instr->hydrogen()->skip_check()) return;
+ HBoundsCheck* hinstr = instr->hydrogen();
+ if (hinstr->skip_check()) return;
+
+ Representation representation = hinstr->length()->representation();
+ ASSERT(representation.Equals(hinstr->index()->representation()));
+ ASSERT(representation.IsSmiOrInteger32());
if (instr->length()->IsRegister()) {
Register reg = ToRegister(instr->length());
- if (!instr->hydrogen()->length()->representation().IsSmi()) {
- __ AssertZeroExtended(reg);
- }
+
if (instr->index()->IsConstantOperand()) {
int32_t constant_index =
ToInteger32(LConstantOperand::cast(instr->index()));
- if (instr->hydrogen()->length()->representation().IsSmi()) {
+ if (representation.IsSmi()) {
__ Cmp(reg, Smi::FromInt(constant_index));
} else {
- __ cmpq(reg, Immediate(constant_index));
+ __ cmpl(reg, Immediate(constant_index));
}
} else {
Register reg2 = ToRegister(instr->index());
- if (!instr->hydrogen()->index()->representation().IsSmi()) {
- __ AssertZeroExtended(reg2);
+ if (representation.IsSmi()) {
+ __ cmpq(reg, reg2);
+ } else {
+ __ cmpl(reg, reg2);
}
- __ cmpq(reg, reg2);
}
} else {
Operand length = ToOperand(instr->length());
if (instr->index()->IsConstantOperand()) {
int32_t constant_index =
ToInteger32(LConstantOperand::cast(instr->index()));
- if (instr->hydrogen()->length()->representation().IsSmi()) {
+ if (representation.IsSmi()) {
__ Cmp(length, Smi::FromInt(constant_index));
} else {
- __ cmpq(length, Immediate(constant_index));
+ __ cmpl(length, Immediate(constant_index));
}
} else {
- __ cmpq(length, ToRegister(instr->index()));
+ if (representation.IsSmi()) {
+ __ cmpq(length, ToRegister(instr->index()));
+ } else {
+ __ cmpl(length, ToRegister(instr->index()));
+ }
}
}
- Condition condition =
- instr->hydrogen()->allow_equality() ? below : below_equal;
+ Condition condition = hinstr->allow_equality() ? below : below_equal;
ApplyCheckIf(condition, instr);
}
Index: test/mjsunit/regress/regress-crbug-349465-1.js
diff --git a/test/mjsunit/regress/regress-crbug-349465-1.js
b/test/mjsunit/regress/regress-crbug-349465-1.js
new file mode 100644
index
0000000000000000000000000000000000000000..2876c6cbe8d51c95a44cae518b7000d5c02cd787
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-349465-1.js
@@ -0,0 +1,17 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --debug-code
+
+__v_1 = new Int32Array(1024);
+function __f_2(__v_1, base, condition) {
+ __v_1[base + 1] = 1;
+ __v_1[base + 4] = 2;
+ __v_1[base + 0] = base + -1;
+}
+__f_2(__v_1, 1, true);
+__f_2(__v_1, -9, true);
+__v_2 = new Int32Array(128);
+%OptimizeFunctionOnNextCall(__f_2);
+__f_2(__v_2, -2, true);
Index: test/mjsunit/regress/regress-crbug-349465-2.js
diff --git a/test/mjsunit/regress/regress-crbug-349465-2.js
b/test/mjsunit/regress/regress-crbug-349465-2.js
new file mode 100644
index
0000000000000000000000000000000000000000..6e90c1acc23d2482147f249c327ac4892ee21d81
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-349465-2.js
@@ -0,0 +1,31 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --debug-code
+
+function __f_5() {
+ var __v_9 = {};
+ var __v_10 = [];
+ function __f_14(__v_26) {
+ if (__v_26 | 0 == __v_26) {
+ __v_26 = __v_26 | 0;
+ }
+ if (%_IsSmi(__v_26) && !__v_9[__v_26]) {
+ __v_10.push(__v_26);
+ }
+ }
+ function __f_10(__v_26) {
+ %OptimizeFunctionOnNextCall(__f_14);
+ __f_14(-__v_5);
+ }
+ var __v_5 = 10 * 1000 * 1000 * 1000;
+ for (var __v_6 = 1; __v_6 <= __v_5; __v_6 *= 10) {
+ for (var __v_8 = 0; __v_8 <= 9; __v_8++) {
+ for (var __v_4 = -1; __v_4 <= 1; __v_4++) {
+ __f_10(__v_6 * __v_8 + __v_4);
+ }
+ }
+ }
+}
+__f_5();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
