[crankshaft] Range analysis should not rely on overflowed ranges.

BUG=chromium:645438 Review-Url: https://codereview.chromium.org/2412853002 Cr-Commit-Position: refs/heads/master@{#40202}

[crankshaft] Range analysis should not rely on overflowed ranges.
BUG=chromium:645438 Review-Url: https://codereview.chromium.org/2412853002 Cr-Commit-Position: refs/heads/master@{#40202}
9a0109d7 · ishell · Commit bot · edfe391e · 9a0109d7 · 9a0109d7
Commit 9a0109d7 authored Oct 12, 2016 by ishell Committed by Commit bot Oct 12, 2016
Showing with 37 additions and 4 deletions

hydrogen-instructions.cc src/crankshaft/hydrogen-instructions.cc +20 -4

hydrogen-instructions.h src/crankshaft/hydrogen-instructions.h +1 -0

regress-crbug-645438.js test/mjsunit/regress/regress-crbug-645438.js +16 -0

No files found.
--- a/src/crankshaft/hydrogen-instructions.cc
+++ b/src/crankshaft/hydrogen-instructions.cc
@@ -259,7 +259,11 @@ bool Range::AddAndCheckOverflow(const Representation& r, Range* other) {
  bool may_overflow = false;
  lower_ = AddWithoutOverflow(r, lower_, other->lower(), &may_overflow);
  upper_ = AddWithoutOverflow(r, upper_, other->upper(), &may_overflow);
-  KeepOrder();
+  if (may_overflow) {
+    Clear();
+  } else {
+    KeepOrder();
+  }
 #ifdef DEBUG
  Verify();
 #endif
@@ -271,13 +275,21 @@ bool Range::SubAndCheckOverflow(const Representation& r, Range* other) {
  bool may_overflow = false;
  lower_ = SubWithoutOverflow(r, lower_, other->upper(), &may_overflow);
  upper_ = SubWithoutOverflow(r, upper_, other->lower(), &may_overflow);
-  KeepOrder();
+  if (may_overflow) {
+    Clear();
+  } else {
+    KeepOrder();
+  }
 #ifdef DEBUG
  Verify();
 #endif
  return may_overflow;
 }

+void Range::Clear() {
+  lower_ = kMinInt;
+  upper_ = kMaxInt;
+}

 void Range::KeepOrder() {
  if (lower_ > upper_) {
@@ -301,8 +313,12 @@ bool Range::MulAndCheckOverflow(const Representation& r, Range* other) {
  int v2 = MulWithoutOverflow(r, lower_, other->upper(), &may_overflow);
  int v3 = MulWithoutOverflow(r, upper_, other->lower(), &may_overflow);
  int v4 = MulWithoutOverflow(r, upper_, other->upper(), &may_overflow);
-  lower_ = Min(Min(v1, v2), Min(v3, v4));
-  upper_ = Max(Max(v1, v2), Max(v3, v4));
+  if (may_overflow) {
+    Clear();
+  } else {
+    lower_ = Min(Min(v1, v2), Min(v3, v4));
+    upper_ = Max(Max(v1, v2), Max(v3, v4));
+  }
 #ifdef DEBUG
  Verify();
 #endif

--- a/src/crankshaft/hydrogen-instructions.h
+++ b/src/crankshaft/hydrogen-instructions.h
@@ -235,6 +235,7 @@ class Range final : public ZoneObject {
    lower_ = Max(lower_, Smi::kMinValue);
    upper_ = Min(upper_, Smi::kMaxValue);
  }
+  void Clear();
  void KeepOrder();
 #ifdef DEBUG
  void Verify() const;

--- a/test/mjsunit/regress/regress-crbug-645438.js
+++ b/test/mjsunit/regress/regress-crbug-645438.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function n(x,y){
+  y = (y-(0x80000000|0)|0);
+  return (x/y)|0;
+};
+var x = -0x80000000;
+var y = 0x7fffffff;
+n(x,y);
+n(x,y);
+%OptimizeFunctionOnNextCall(n);
+assertEquals(x, n(x,y));