From 65b894ceaf2becead2324fd0b7acd9d8f8b1f72e Mon Sep 17 00:00:00 2001 From: Michael Hablich Date: Thu, 10 Mar 2016 14:51:59 +0100 Subject: [PATCH] Version 5.0.71.15 (cherry-pick) Merged 0c35579093dc5e286ad89e5c7bde3aeb355def07 [crankshaft] Fix invalid ToNumber optimization. BUG=chromium:590989 LOG=N R=jkummerow@chromium.org, bmeurer@chromium.org Review URL: https://codereview.chromium.org/1773183007 . Cr-Commit-Position: refs/branch-heads/5.0@{#21} Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1} Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215} --- include/v8-version.h | 2 +- src/crankshaft/hydrogen.cc | 12 +++++------- src/crankshaft/hydrogen.h | 2 +- test/mjsunit/regress/regress-crbug-590989-1.js | 18 ++++++++++++++++++ test/mjsunit/regress/regress-crbug-590989-2.js | 12 ++++++++++++ 5 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-590989-1.js create mode 100644 test/mjsunit/regress/regress-crbug-590989-2.js diff --git a/include/v8-version.h b/include/v8-version.h index 69a121c6e95..9ddf825d5ba 100644 --- a/include/v8-version.h +++ b/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 5 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 71 -#define V8_PATCH_LEVEL 14 +#define V8_PATCH_LEVEL 15 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc index 1eccd38789c..9f3654f774c 100644 --- a/src/crankshaft/hydrogen.cc +++ b/src/crankshaft/hydrogen.cc @@ -2050,9 +2050,8 @@ HValue* HGraphBuilder::BuildNumberToString(HValue* object, Type* type) { return Pop(); } - -HValue* HGraphBuilder::BuildToNumber(HValue* input, Type* input_type) { - if (input->type().IsTaggedNumber() || input_type->Is(Type::Number())) { +HValue* HGraphBuilder::BuildToNumber(HValue* input) { + if (input->type().IsTaggedNumber()) { return input; } Callable callable = CodeFactory::ToNumber(isolate()); @@ -11129,10 +11128,10 @@ HValue* HGraphBuilder::BuildBinaryOperation(Token::Value op, HValue* left, // Special case for +x here. if (op == Token::MUL) { if (left->EqualsInteger32Constant(1)) { - return BuildToNumber(right, right_type); + return BuildToNumber(right); } if (right->EqualsInteger32Constant(1)) { - return BuildToNumber(left, left_type); + return BuildToNumber(left); } } @@ -12360,8 +12359,7 @@ void HOptimizedGraphBuilder::GenerateToNumber(CallRuntime* call) { CHECK_ALIVE(VisitForValue(call->arguments()->at(0))); Callable callable = CodeFactory::ToNumber(isolate()); HValue* input = Pop(); - Type* input_type = Type::Any(); - HValue* result = BuildToNumber(input, input_type); + HValue* result = BuildToNumber(input); if (result->HasObservableSideEffects()) { if (!ast_context()->IsEffect()) Push(result); Add(call->id(), REMOVABLE_SIMULATE); diff --git a/src/crankshaft/hydrogen.h b/src/crankshaft/hydrogen.h index d41b010ad4d..ce0d0df6aaa 100644 --- a/src/crankshaft/hydrogen.h +++ b/src/crankshaft/hydrogen.h @@ -1321,7 +1321,7 @@ class HGraphBuilder { bool is_jsarray); HValue* BuildNumberToString(HValue* object, Type* type); - HValue* BuildToNumber(HValue* input, Type* input_type); + HValue* BuildToNumber(HValue* input); HValue* BuildToObject(HValue* receiver); void BuildJSObjectCheck(HValue* receiver, diff --git a/test/mjsunit/regress/regress-crbug-590989-1.js b/test/mjsunit/regress/regress-crbug-590989-1.js new file mode 100644 index 00000000000..73118eb20e8 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-590989-1.js @@ -0,0 +1,18 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +var o = {} +var p = {foo: 1.5} + +function g(x) { return x.foo === +x.foo; } + +assertEquals(false, g(o)); +assertEquals(false, g(o)); +%OptimizeFunctionOnNextCall(g); +assertEquals(false, g(o)); // Still fine here. +assertEquals(true, g(p)); +%OptimizeFunctionOnNextCall(g); +assertEquals(false, g(o)); // Confused by type feedback. diff --git a/test/mjsunit/regress/regress-crbug-590989-2.js b/test/mjsunit/regress/regress-crbug-590989-2.js new file mode 100644 index 00000000000..cae1d9db5bd --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-590989-2.js @@ -0,0 +1,12 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function f(x) { return x === +x; } + +assertEquals(false, f(undefined)); +assertEquals(false, f(undefined)); +%OptimizeFunctionOnNextCall(f); +assertEquals(false, f(undefined)); // Interestingly this fails right away.