Skip to content
Permalink
Browse files

[turbofan] Make sure TruncatingUseInfoFromRepresentation respects Smi…

… representation.

Eventually, we want to fix this also for tagged pointers (tracking bug: https://crbug.com/v8/7162).

Bug: chromium:791245
Change-Id: I93d6deff36cedcc9a4665fab0abe6fffdae9b61b
Reviewed-on: https://chromium-review.googlesource.com/806457
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49850}
  • Loading branch information...
jaro-sevcik authored and Commit Bot committed Dec 4, 2017
1 parent c865f3e commit cc07ac73a460de3d933ebe7aebf0f55b741eb5cf
@@ -14,6 +14,7 @@
#include "src/compiler/linkage.h"
#include "src/compiler/node-matchers.h"
#include "src/compiler/simplified-operator.h"
#include "src/compiler/type-cache.h"
#include "src/feedback-vector-inl.h"
#include "src/ic/call-optimization.h"
#include "src/objects-inl.h"
@@ -1397,8 +1398,11 @@ Node* JSCallReducer::DoFilterPostCallbackWork(ElementsKind kind, Node** control,

// We know that {to} is in Unsigned31 range here, being smaller than
// {original_length} at all times.
Node* checked_to =
graph()->NewNode(common()->TypeGuard(Type::Unsigned31()), to, if_true);
DCHECK(TypeCache::Get().kFixedDoubleArrayLengthType->Is(
TypeCache::Get().kFixedArrayLengthType));
Node* checked_to = graph()->NewNode(
common()->TypeGuard(TypeCache::Get().kFixedArrayLengthType), to,
if_true);
Node* elements_length = etrue = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForFixedArrayLength()), elements,
etrue, if_true);
@@ -2574,6 +2574,9 @@ Node* JSNativeContextSpecialization::BuildExtendPropertiesBackingStore(
}
Node* new_length_and_hash = graph()->NewNode(
simplified()->NumberBitwiseOr(), jsgraph()->Constant(new_length), hash);
// TDOO(jarin) Fix the typer to infer tighter bound for NumberBitwiseOr.
new_length_and_hash = graph()->NewNode(
common()->TypeGuard(Type::SignedSmall()), new_length_and_hash, control);

// Allocate and initialize the new properties.
AllocationBuilder a(jsgraph(), effect, control);
@@ -122,6 +122,7 @@ UseInfo CheckedUseInfoAsFloat64FromHint(NumberOperationHint hint) {
UseInfo TruncatingUseInfoFromRepresentation(MachineRepresentation rep) {
switch (rep) {
case MachineRepresentation::kTaggedSigned:
return UseInfo::TaggedSigned();
case MachineRepresentation::kTaggedPointer:
case MachineRepresentation::kTagged:
return UseInfo::AnyTagged();
@@ -0,0 +1,17 @@
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --expose-gc

var a, b; // Global variables that will end up with number map.

for (var i = 0; i < 100000; i++) {
b = 1;
a = i + -0; // -0 is a number, so this will make "a" a heap object.
b = a;
}

assertTrue(a === b);
gc();
assertTrue(a === b);

0 comments on commit cc07ac7

Please sign in to comment.
You can’t perform that action at this time.