[turbofan] Fix representation type for JSArray::length.

This fixes the representation type for values in JSArray::length fields when JSNativeContextSpecialization lowers loads. Only arrays with fast elements kind are guaranteed to have a Smi represented length. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-4515 BUG=v8:4515, v8:4493, v8:4470 LOG=n Review URL: https://codereview.chromium.org/1410393006 Cr-Commit-Position: refs/heads/master@{#31558}

[turbofan] Fix representation type for JSArray::length.
This fixes the representation type for values in JSArray::length fields when JSNativeContextSpecialization lowers loads. Only arrays with fast elements kind are guaranteed to have a Smi represented length. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-4515 BUG=v8:4515, v8:4493, v8:4470 LOG=n Review URL: https://codereview.chromium.org/1410393006 Cr-Commit-Position: refs/heads/master@{#31558}
e121aabe · mstarzinger · Commit bot · c043a7ee · e121aabe · e121aabe
Commit e121aabe authored Oct 26, 2015 by mstarzinger Committed by Commit bot Oct 26, 2015
Showing with 20 additions and 4 deletions

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +3 -1

mjsunit.status test/mjsunit/mjsunit.status +0 -3

regress-4515.js test/mjsunit/regress/regress-4515.js +17 -0

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -338,15 +338,17 @@ bool JSNativeContextSpecialization::ComputePropertyAccessInfo(
        // elements, a smi in the range [0, FixedArray::kMaxLength]
        // in case of other fast elements, and [0, kMaxUInt32-1] in
        // case of other arrays.
+        Type* field_type_rep = Type::Tagged();
        double field_type_upper = kMaxUInt32 - 1;
        if (IsFastElementsKind(map->elements_kind())) {
+          field_type_rep = Type::TaggedSigned();
          field_type_upper = IsFastDoubleElementsKind(map->elements_kind())
                                 ? FixedDoubleArray::kMaxLength
                                 : FixedArray::kMaxLength;
        }
        field_type =
            Type::Intersect(Type::Range(0.0, field_type_upper, graph()->zone()),
-                            Type::TaggedSigned(), graph()->zone());
+                            field_type_rep, graph()->zone());
      }
      *access_info = PropertyAccessInfo::DataField(receiver_type, field_index,
                                                   field_type, holder);

--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -152,9 +152,6 @@
  # TODO(titzer): too slow in --turbo mode due to O(n^2) graph verification.
  'regress/regress-1122': [PASS, NO_VARIANTS],

-  # Issue 4493: Bugs due to --turbo-inlining.
-  'sparse-array-reverse': [PASS, NO_VARIANTS],
-
  # Assumptions about optimization need investigation in TurboFan.
  'compiler/inlined-call': [PASS, NO_VARIANTS],
  'deopt-with-fp-regs': [PASS, NO_VARIANTS],

--- a/test/mjsunit/regress/regress-4515.js
+++ b/test/mjsunit/regress/regress-4515.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-filter=f
+
+function f(array) {
+  return array.length >>> 0;
+}
+
+var a = new Array();
+a[4000000000] = "A";
+
+assertEquals(4000000001, f(a));
+assertEquals(4000000001, f(a));
+%OptimizeFunctionOnNextCall(f);
+assertEquals(4000000001, f(a));