Commit 2bc9d01e authored by Benedikt Meurer's avatar Benedikt Meurer Committed by Commit Bot

[turbofan] Fix negative offset handling in escape analysis.

Bug: chromium:906220
Change-Id: I72547d92ffad4039c22dd7ce2d1438fe85f9c190
Reviewed-on: https://chromium-review.googlesource.com/c/1340292Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57600}
parent 2cf36eb8
......@@ -516,7 +516,7 @@ Maybe<int> OffsetOfElementsAccess(const Operator* op, Node* index_node) {
double max = index_type.Max();
double min = index_type.Min();
int index = static_cast<int>(min);
if (!(index == min && index == max)) return Nothing<int>();
if (index < 0 || index != min || index != max) return Nothing<int>();
return Just(OffsetOfElementAt(ElementAccessOf(op), index));
}
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() { new Array().pop(); }
assertEquals(undefined, foo());
assertEquals(undefined, foo());
%OptimizeFunctionOnNextCall(foo);
assertEquals(undefined, foo());
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment