Reviewers: Yang,
Description:
Avoid hydrogen compare-objects-equal assertions in dead code
ClusterFuzz test is triggering assertions for dead code. This fix issues
HDeoptimize instruction when it finds out that the compare instruction
is dead (because of previous checks).
[email protected]
BUG=359491
LOG=N
Please review this at https://codereview.chromium.org/228883005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+50, -0 lines):
M src/hydrogen.cc
A test/mjsunit/regress/regress-359491.js
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
20fd43c62816211a265d7f4bcd38b69533a8242b..88a9489b4387333def55edeea363aea869d04508
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9846,6 +9846,17 @@ HControlInstruction*
HOptimizedGraphBuilder::BuildCompareInstruction(
}
} else if (combined_type->Is(Type::InternalizedString()) &&
Token::IsEqualityOp(op)) {
+ // If we have a constant argument, it should be consistent with the
type
+ // feedback (otherwise we fail assertions in
HCompareObjectEqAndBranch).
+ if ((left->IsConstant() &&
+ !HConstant::cast(left)->HasInternalizedStringValue()) ||
+ (right->IsConstant() &&
+ !HConstant::cast(right)->HasInternalizedStringValue())) {
+ Add<HDeoptimize>("Type mismatch between feedback and constant",
+ Deoptimizer::EAGER);
+ // The caller expects a branch instruction, so make it happy.
+ return New<HBranch>(graph()->GetConstantTrue());
+ }
BuildCheckHeapObject(left);
Add<HCheckInstanceType>(left,
HCheckInstanceType::IS_INTERNALIZED_STRING);
BuildCheckHeapObject(right);
@@ -9854,6 +9865,17 @@ HControlInstruction*
HOptimizedGraphBuilder::BuildCompareInstruction(
New<HCompareObjectEqAndBranch>(left, right);
return result;
} else if (combined_type->Is(Type::String())) {
+ // If we have a constant argument, it should be consistent with the
type
+ // feedback (otherwise we fail assertions in
HCompareObjectEqAndBranch).
+ if ((left->IsConstant() &&
+ !HConstant::cast(left)->HasStringValue()) ||
+ (right->IsConstant() &&
+ !HConstant::cast(right)->HasStringValue())) {
+ Add<HDeoptimize>("Type mismatch between feedback and constant",
+ Deoptimizer::EAGER);
+ // The caller expects a branch instruction, so make it happy.
+ return New<HBranch>(graph()->GetConstantTrue());
+ }
BuildCheckHeapObject(left);
Add<HCheckInstanceType>(left, HCheckInstanceType::IS_STRING);
BuildCheckHeapObject(right);
Index: test/mjsunit/regress/regress-359491.js
diff --git a/test/mjsunit/regress/regress-359491.js
b/test/mjsunit/regress/regress-359491.js
new file mode 100644
index
0000000000000000000000000000000000000000..1c94329c225eb92b0f4d994884d599841f8cf5a2
--- /dev/null
+++ b/test/mjsunit/regress/regress-359491.js
@@ -0,0 +1,28 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc --stress-opt
+
+function deepEquals(a, b) {
+ if (a === b) { }
+ if (a.splice) {
+ deepEquals(a[0], b[0]);
+ }
+}
+
+function assertEquals(a, b) {
+ deepEquals(a, b);
+}
+
+assertEquals(["x"], ["x"]);
+
+function f() {
+ gc();
+ gc();
+ var v = 1e+10 | 0;
+ deepEquals(-1, v);
+}
+f();
+f();
+f();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
