Commit b22f5ac6 authored by Z Nguyen-Huu's avatar Z Nguyen-Huu Committed by Commit Bot

[turbofan] Avoid relaxing node that has other effect use

It is related to Reduce consecutive overflow addition with constants.
Turned out that we needs to consider also effect use before relaxing it.

This fixed the issue that fuzzer found in e93a369f.

Bug: chromium:1137586
Change-Id: I32fee5ecc7a6ce40d6f739f9c6e2440a647a2222
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2469597
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70514}
parent 04221a96
...@@ -234,16 +234,14 @@ Reduction SimplifiedOperatorReducer::Reduce(Node* node) { ...@@ -234,16 +234,14 @@ Reduction SimplifiedOperatorReducer::Reduce(Node* node) {
bool overflow = base::bits::SignedAddOverflow32( bool overflow = base::bits::SignedAddOverflow32(
n.right().Value(), m.right().Value(), &val); n.right().Value(), m.right().Value(), &val);
if (!overflow) { if (!overflow) {
bool has_no_other_value_uses = true; bool has_no_other_uses = true;
for (Edge edge : checked_int32_add->use_edges()) { for (Edge edge : checked_int32_add->use_edges()) {
if (!edge.from()->IsDead() && if (!edge.from()->IsDead() && edge.from() != node) {
!NodeProperties::IsEffectEdge(edge) && has_no_other_uses = false;
edge.from() != node) {
has_no_other_value_uses = false;
break; break;
} }
} }
if (has_no_other_value_uses) { if (has_no_other_uses) {
node->ReplaceInput(0, n.left().node()); node->ReplaceInput(0, n.left().node());
node->ReplaceInput(1, jsgraph()->Int32Constant(val)); node->ReplaceInput(1, jsgraph()->Int32Constant(val));
RelaxEffectsAndControls(checked_int32_add); RelaxEffectsAndControls(checked_int32_add);
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
for (var i = 0; i < 100000; i++) {
var a = arguments[0] + 2;
var b = arguments[1] + 2;
var c = a + i + 5;
var d = c + 3;
}
}
for (var j = 0; j < 3; j++) {
f(2, 3);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment