Fix bug in x64 immediate operand handling for smi-converting loads

Bug: chromium:802060 Change-Id: I032930af26f7eab8d5d3469ad273bdcdff85b045 Reviewed-on: https://chromium-review.googlesource.com/897723Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#51035}

Fix bug in x64 immediate operand handling for smi-converting loads
Bug: chromium:802060 Change-Id: I032930af26f7eab8d5d3469ad273bdcdff85b045 Reviewed-on: https://chromium-review.googlesource.com/897723Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#51035}
9ef2ed30 · Daniel Clifford · Commit Bot · 51af4f58 · 9ef2ed30 · 9ef2ed30
Commit 9ef2ed30 authored Feb 01, 2018 by Daniel Clifford Committed by Commit Bot Feb 01, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 1 deletion

instruction-selector-x64.cc src/compiler/x64/instruction-selector-x64.cc +5 -1

regress-802060.js test/mjsunit/regress/regress-802060.js +24 -0

No files found.
--- a/src/compiler/x64/instruction-selector-x64.cc
+++ b/src/compiler/x64/instruction-selector-x64.cc
@@ -109,7 +109,7 @@ class X64OperandGenerator final : public OperandGenerator {
        DCHECK(scale_exponent >= 0 && scale_exponent <= 3);
        inputs[(*input_count)++] = UseRegister(index);
        if (displacement != nullptr) {
-          inputs[(*input_count)++] = displacement_mode
+          inputs[(*input_count)++] = displacement_mode == kNegativeDisplacement
                                         ? UseNegatedImmediate(displacement)
                                         : UseImmediate(displacement);
          static const AddressingMode kMRnI_modes[] = {kMode_MR1I, kMode_MR2I,
@@ -717,6 +717,10 @@ bool TryMatchLoadWord64AndShiftRight(InstructionSelector* selector, Node* node,
        }
        inputs[input_count++] = ImmediateOperand(ImmediateOperand::INLINE, 4);
      } else {
+        // In the case that the base address was zero, the displacement will be
+        // in a register and replacing it with an immediate is not allowed. This
+        // usually only happens in dead code anyway.
+        if (!inputs[input_count - 1].IsImmediate()) return false;
        int32_t displacement = g.GetImmediateIntegerValue(mleft.displacement());
        inputs[input_count - 1] =
            ImmediateOperand(ImmediateOperand::INLINE, displacement + 4);

--- a/test/mjsunit/regress/regress-802060.js
+++ b/test/mjsunit/regress/regress-802060.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --allow-natives-syntax
+function assertEquals(expected, found) {
+  found.length !== expected.length;
+}
+assertEquals([], [])
+assertEquals("a", "a");
+assertEquals([], []);
+function f() {
+  assertEquals(0, undefined);
+}
+try {
+  f();
+} catch (e) {
+}
+%OptimizeFunctionOnNextCall(f);
+try {
+  f();
+} catch (e) {
+}