[turbofan] Make sure TruncatingUseInfoFromRepresentation respects Smi representation.

Eventually, we want to fix this also for tagged pointers (tracking bug: https://crbug.com/v8/7162). Bug: chromium:791245 Change-Id: I93d6deff36cedcc9a4665fab0abe6fffdae9b61b Reviewed-on: https://chromium-review.googlesource.com/806457Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#49850}

[turbofan] Make sure TruncatingUseInfoFromRepresentation respects Smi representation.
Eventually, we want to fix this also for tagged pointers (tracking bug: https://crbug.com/v8/7162). Bug: chromium:791245 Change-Id: I93d6deff36cedcc9a4665fab0abe6fffdae9b61b Reviewed-on: https://chromium-review.googlesource.com/806457Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#49850}
cc07ac73 · Jaroslav Sevcik · Commit Bot · c865f3ed · cc07ac73 · cc07ac73
Commit cc07ac73 authored Dec 04, 2017 by Jaroslav Sevcik Committed by Commit Bot Dec 05, 2017
4 changed files
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -14,6 +14,7 @@
 #include "src/compiler/linkage.h"
 #include "src/compiler/node-matchers.h"
 #include "src/compiler/simplified-operator.h"
+#include "src/compiler/type-cache.h"
 #include "src/feedback-vector-inl.h"
 #include "src/ic/call-optimization.h"
 #include "src/objects-inl.h"
@@ -1397,8 +1398,11 @@ Node* JSCallReducer::DoFilterPostCallbackWork(ElementsKind kind, Node** control,

    // We know that {to} is in Unsigned31 range here, being smaller than
    // {original_length} at all times.
-    Node* checked_to =
-        graph()->NewNode(common()->TypeGuard(Type::Unsigned31()), to, if_true);
+    DCHECK(TypeCache::Get().kFixedDoubleArrayLengthType->Is(
+        TypeCache::Get().kFixedArrayLengthType));
+    Node* checked_to = graph()->NewNode(
+        common()->TypeGuard(TypeCache::Get().kFixedArrayLengthType), to,
+        if_true);
    Node* elements_length = etrue = graph()->NewNode(
        simplified()->LoadField(AccessBuilder::ForFixedArrayLength()), elements,
        etrue, if_true);

--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -2574,6 +2574,9 @@ Node* JSNativeContextSpecialization::BuildExtendPropertiesBackingStore(
  }
  Node* new_length_and_hash = graph()->NewNode(
      simplified()->NumberBitwiseOr(), jsgraph()->Constant(new_length), hash);
+  // TDOO(jarin) Fix the typer to infer tighter bound for NumberBitwiseOr.
+  new_length_and_hash = graph()->NewNode(
+      common()->TypeGuard(Type::SignedSmall()), new_length_and_hash, control);

  // Allocate and initialize the new properties.
  AllocationBuilder a(jsgraph(), effect, control);

--- a/src/compiler/simplified-lowering.cc
+++ b/src/compiler/simplified-lowering.cc
@@ -122,6 +122,7 @@ UseInfo CheckedUseInfoAsFloat64FromHint(NumberOperationHint hint) {
 UseInfo TruncatingUseInfoFromRepresentation(MachineRepresentation rep) {
  switch (rep) {
    case MachineRepresentation::kTaggedSigned:
+      return UseInfo::TaggedSigned();
    case MachineRepresentation::kTaggedPointer:
    case MachineRepresentation::kTagged:
      return UseInfo::AnyTagged();

--- a/test/mjsunit/compiler/regress-791245.js
+++ b/test/mjsunit/compiler/regress-791245.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+var a, b;  // Global variables that will end up with number map.
+
+for (var i = 0; i < 100000; i++) {
+  b = 1;
+  a = i + -0;  // -0 is a number, so this will make "a" a heap object.
+  b = a;
+}
+
+assertTrue(a === b);
+gc();
+assertTrue(a === b);