Fix HConstants with Smi-ranged HeapNumber values

BUG=chromium:349878
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/186123003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19693 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 5af7d10a
...@@ -2562,7 +2562,11 @@ HConstant::HConstant(int32_t integer_value, ...@@ -2562,7 +2562,11 @@ HConstant::HConstant(int32_t integer_value,
boolean_value_(integer_value != 0), boolean_value_(integer_value != 0),
int32_value_(integer_value), int32_value_(integer_value),
double_value_(FastI2D(integer_value)) { double_value_(FastI2D(integer_value)) {
set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber()); // It's possible to create a constant with a value in Smi-range but stored
// in a (pre-existing) HeapNumber. See crbug.com/349878.
bool could_be_heapobject = r.IsTagged() && !object.handle().is_null();
bool is_smi = has_smi_value_ && !could_be_heapobject;
set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
Initialize(r); Initialize(r);
} }
...@@ -2582,7 +2586,11 @@ HConstant::HConstant(double double_value, ...@@ -2582,7 +2586,11 @@ HConstant::HConstant(double double_value,
int32_value_(DoubleToInt32(double_value)), int32_value_(DoubleToInt32(double_value)),
double_value_(double_value) { double_value_(double_value) {
has_smi_value_ = has_int32_value_ && Smi::IsValid(int32_value_); has_smi_value_ = has_int32_value_ && Smi::IsValid(int32_value_);
set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber()); // It's possible to create a constant with a value in Smi-range but stored
// in a (pre-existing) HeapNumber. See crbug.com/349878.
bool could_be_heapobject = r.IsTagged() && !object.handle().is_null();
bool is_smi = has_smi_value_ && !could_be_heapobject;
set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
Initialize(r); Initialize(r);
} }
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(a, b) {
a == b;
}
f({}, {});
var a = { y: 1.5 };
a.y = 777;
var b = a.y;
function h() {
var d = 1;
var e = 777;
while (d-- > 0) e++;
f(1, e);
}
var global;
function g() {
global = b;
return h(b);
}
g();
g();
%OptimizeFunctionOnNextCall(g);
g();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment