Reviewers: Yang,
Message:
PTAL.
There are other options we could consider, such as updating
HIsSmiAndBranch's
RequiredInputRepresentation after deciding for a known successor. But I'd
prefer
to land this easy, safe fix first, and punt on any more advanced hackery.
Description:
Fix HIsSmiAndBranch::KnownSuccessorBlock() by deleting it
Constants can still change their representation, so we cannot determine
reachability of blocks based on their Smi-ness
BUG=chromium:351320
LOG=y
Please review this at https://codereview.chromium.org/196943002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+21, -13 lines):
M src/hydrogen-instructions.h
M src/hydrogen-instructions.cc
A test/mjsunit/regress/regress-crbug-351320.js
Index: src/hydrogen-instructions.cc
diff --git a/src/hydrogen-instructions.cc b/src/hydrogen-instructions.cc
index
79c7964d15492ead5d3312a5ef53ad82770c1154..0ad84fe9e59f4d6ae84b426332fd041e352fea30
100644
--- a/src/hydrogen-instructions.cc
+++ b/src/hydrogen-instructions.cc
@@ -3099,17 +3099,6 @@ bool
HIsStringAndBranch::KnownSuccessorBlock(HBasicBlock** block) {
}
-bool HIsSmiAndBranch::KnownSuccessorBlock(HBasicBlock** block) {
- if (FLAG_fold_constants && value()->IsConstant()) {
- *block = HConstant::cast(value())->HasSmiValue()
- ? FirstSuccessor() : SecondSuccessor();
- return true;
- }
- *block = NULL;
- return false;
-}
-
-
bool HIsUndetectableAndBranch::KnownSuccessorBlock(HBasicBlock** block) {
if (FLAG_fold_constants && value()->IsConstant()) {
*block = HConstant::cast(value())->IsUndetectable()
Index: src/hydrogen-instructions.h
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index
c618fdfb544686061721f168ef1fed319f46419e..aa9c4cdb72cbacf9128879004e63e8b73351d720
100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -4380,8 +4380,6 @@ class HIsSmiAndBranch V8_FINAL : public
HUnaryControlInstruction {
return Representation::Tagged();
}
- virtual bool KnownSuccessorBlock(HBasicBlock** block) V8_OVERRIDE;
-
protected:
virtual bool DataEquals(HValue* other) V8_OVERRIDE { return true; }
virtual int RedefinedOperandIndex() { return 0; }
Index: test/mjsunit/regress/regress-crbug-351320.js
diff --git a/test/mjsunit/regress/regress-crbug-351320.js
b/test/mjsunit/regress/regress-crbug-351320.js
new file mode 100644
index
0000000000000000000000000000000000000000..24fc641797c17011714c0650dde531f711dff3bb
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-351320.js
@@ -0,0 +1,21 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --fold-constants
+
+var result = 0;
+var o1 = {};
+o2 = {y:1.5};
+o2.y = 0;
+o3 = o2.y;
+
+function crash() {
+ for (var i = 0; i < 10; i++) {
+ result += o1.x + o3.foo;
+ }
+}
+
+crash();
+%OptimizeFunctionOnNextCall(crash);
+crash();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
