From f576e29c475d104d93176042d2a79066ad8f638c Mon Sep 17 00:00:00 2001 From: bmeurer Date: Tue, 7 Jun 2016 20:55:25 -0700 Subject: [PATCH] [crankshaft] Fix invalid number truncation assumption on HAdd inputs. In Crankshaft we don't know reliably know that an HAdd might not turn into a string addition later (via deoptimization), so we cannot set the HValue::kAllowUndefinedAsNaN flag on the HAdd instruction in those cases. It doesn't seem to affect performance if we just remove the flag completely from the HAdd instruction, so let's stick to that approach for now. R=jarin@chromium.org BUG=v8:5074 Review-Url: https://codereview.chromium.org/2048643002 Cr-Commit-Position: refs/heads/master@{#36805} --- src/crankshaft/hydrogen-instructions.h | 5 +++++ test/mjsunit/compiler/regress-5074.js | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 test/mjsunit/compiler/regress-5074.js diff --git a/src/crankshaft/hydrogen-instructions.h b/src/crankshaft/hydrogen-instructions.h index 514882145f2..b10e3ab819c 100644 --- a/src/crankshaft/hydrogen-instructions.h +++ b/src/crankshaft/hydrogen-instructions.h @@ -4370,6 +4370,11 @@ class HAdd final : public HArithmeticBinaryOperation { SetChangesFlag(kNewSpacePromotion); ClearFlag(kAllowUndefinedAsNaN); } + if (!right()->type().IsTaggedNumber() && + !right()->representation().IsDouble() && + !right()->representation().IsSmiOrInteger32()) { + ClearFlag(kAllowUndefinedAsNaN); + } } Representation RepresentationFromInputs() override; diff --git a/test/mjsunit/compiler/regress-5074.js b/test/mjsunit/compiler/regress-5074.js new file mode 100644 index 00000000000..903b54ad980 --- /dev/null +++ b/test/mjsunit/compiler/regress-5074.js @@ -0,0 +1,18 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +var s = [,0.1]; + +function foo(a, b) { + var x = s[a]; + s[1] = 0.1; + return x + b; +} + +assertEquals(2.1, foo(1, 2)); +assertEquals(2.1, foo(1, 2)); +%OptimizeFunctionOnNextCall(foo); +assertEquals("undefined2", foo(0, "2"));