Reviewers: Yang,
Message:
PTAL.
And thanks for doing most of the legwork on this one!
Description:
Fix HConstants with Smi-ranged HeapNumber values
BUG=chromium:349878
LOG=y
Please review this at https://codereview.chromium.org/186123003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+28, -13 lines):
M src/hydrogen-instructions.cc
A + test/mjsunit/regress/regress-crbug-349878.js
Index: src/hydrogen-instructions.cc
diff --git a/src/hydrogen-instructions.cc b/src/hydrogen-instructions.cc
index
2a2c43a105e0a228bfc351957e31e4825e36bb5d..4c16d0bb1c948065ffeaaf1ec8ab9a90cb530d7a
100644
--- a/src/hydrogen-instructions.cc
+++ b/src/hydrogen-instructions.cc
@@ -2562,7 +2562,11 @@ HConstant::HConstant(int32_t integer_value,
boolean_value_(integer_value != 0),
int32_value_(integer_value),
double_value_(FastI2D(integer_value)) {
- set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber());
+ // It's possible to create a constant with a value in Smi-range but
stored
+ // in a (pre-existing) HeapNumber. See crbug.com/349878.
+ bool is_smi =
+ has_smi_value_ && !(r.IsTagged() && !object.handle().is_null());
+ set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
Initialize(r);
}
@@ -2582,7 +2586,11 @@ HConstant::HConstant(double double_value,
int32_value_(DoubleToInt32(double_value)),
double_value_(double_value) {
has_smi_value_ = has_int32_value_ && Smi::IsValid(int32_value_);
- set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber());
+ // It's possible to create a constant with a value in Smi-range but
stored
+ // in a (pre-existing) HeapNumber. See crbug.com/349878.
+ bool is_smi =
+ has_smi_value_ && !(r.IsTagged() && !object.handle().is_null());
+ set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
Initialize(r);
}
Index: test/mjsunit/regress/regress-crbug-349878.js
diff --git a/test/mjsunit/regress/regress-crbug-345715.js
b/test/mjsunit/regress/regress-crbug-349878.js
similarity index 55%
copy from test/mjsunit/regress/regress-crbug-345715.js
copy to test/mjsunit/regress/regress-crbug-349878.js
index
a3753417dfb6f8440ec36f883dc6ac1be4a6c8ce..5ed048ff5475df442cb3a3f0109db3c81780ddbc
100644
--- a/test/mjsunit/regress/regress-crbug-345715.js
+++ b/test/mjsunit/regress/regress-crbug-349878.js
@@ -4,23 +4,30 @@
// Flags: --allow-natives-syntax
-a = {y:1.5};
-a.y = 0;
-b = a.y;
-c = {y:{}};
+function f(a, b) {
+ a == b;
+}
+
+f({}, {});
-function f() {
- return 1;
+var a = { y: 1.5 };
+a.y = 777;
+var b = a.y;
+
+function h() {
+ var d = 1;
+ var e = 777;
+ while (d-- > 0) e++;
+ f(1, e);
}
+var global;
function g() {
- var e = {y: b};
- var d = {x:f()};
- var d = {x:f()};
- return [e, d];
+ global = b;
+ return h(b);
}
g();
g();
%OptimizeFunctionOnNextCall(g);
-assertEquals(1, g()[1].x);
+g();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
