Revision: 20620
Author: [email protected]
Date: Wed Apr 9 13:08:28 2014 UTC
Log: Avoid hydrogen compare-objects-equal assertions in dead code
ClusterFuzz test is triggering assertions for dead code. This fix issues
HDeoptimize instruction when it finds out that the compare instruction
is dead (because of previous checks).
[email protected]
BUG=359491
LOG=N
Review URL: https://codereview.chromium.org/228883005
http://code.google.com/p/v8/source/detail?r=20620
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-359491.js
Modified:
/branches/bleeding_edge/src/hydrogen.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-359491.js Wed Apr
9 13:08:28 2014 UTC
@@ -0,0 +1,31 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(a, b, mode) {
+ if (mode) {
+ return a === b;
+ } else {
+ return a === b;
+ }
+}
+
+// Gather type feedback for both branches.
+f("a", "b", 1);
+f("c", "d", 1);
+f("a", "b", 0);
+f("c", "d", 0);
+
+function g(mode) {
+ var x = 1e10 | 0;
+ f(x, x, mode);
+}
+
+// Gather type feedback for g, but only on one branch for f.
+g(1);
+g(1);
+%OptimizeFunctionOnNextCall(g);
+// Optimize g, which inlines f. Both branches in f will see the constant.
+g(0);
=======================================
--- /branches/bleeding_edge/src/hydrogen.cc Wed Apr 9 07:35:12 2014 UTC
+++ /branches/bleeding_edge/src/hydrogen.cc Wed Apr 9 13:08:28 2014 UTC
@@ -9846,6 +9846,17 @@
}
} else if (combined_type->Is(Type::InternalizedString()) &&
Token::IsEqualityOp(op)) {
+ // If we have a constant argument, it should be consistent with the
type
+ // feedback (otherwise we fail assertions in
HCompareObjectEqAndBranch).
+ if ((left->IsConstant() &&
+ !HConstant::cast(left)->HasInternalizedStringValue()) ||
+ (right->IsConstant() &&
+ !HConstant::cast(right)->HasInternalizedStringValue())) {
+ Add<HDeoptimize>("Type mismatch between feedback and constant",
+ Deoptimizer::SOFT);
+ // The caller expects a branch instruction, so make it happy.
+ return New<HBranch>(graph()->GetConstantTrue());
+ }
BuildCheckHeapObject(left);
Add<HCheckInstanceType>(left,
HCheckInstanceType::IS_INTERNALIZED_STRING);
BuildCheckHeapObject(right);
@@ -9854,6 +9865,17 @@
New<HCompareObjectEqAndBranch>(left, right);
return result;
} else if (combined_type->Is(Type::String())) {
+ // If we have a constant argument, it should be consistent with the
type
+ // feedback (otherwise we fail assertions in
HCompareObjectEqAndBranch).
+ if ((left->IsConstant() &&
+ !HConstant::cast(left)->HasStringValue()) ||
+ (right->IsConstant() &&
+ !HConstant::cast(right)->HasStringValue())) {
+ Add<HDeoptimize>("Type mismatch between feedback and constant",
+ Deoptimizer::SOFT);
+ // The caller expects a branch instruction, so make it happy.
+ return New<HBranch>(graph()->GetConstantTrue());
+ }
BuildCheckHeapObject(left);
Add<HCheckInstanceType>(left, HCheckInstanceType::IS_STRING);
BuildCheckHeapObject(right);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
