[turbofan] Fix invalid SpeculativeToNumber optimization.

When optimizing SpeculativeToNumber we need to pay attention to the hint, otherwise we optimize away a Signed32 conversion, based on the fact that the input is a Number. Bug: chromium:819298 Change-Id: I2ac7b0dac708fee9083eca2880bd5674a82daaa3 Reviewed-on: https://chromium-review.googlesource.com/955423Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#51805}

[turbofan] Fix invalid SpeculativeToNumber optimization.
When optimizing SpeculativeToNumber we need to pay attention to the hint, otherwise we optimize away a Signed32 conversion, based on the fact that the input is a Number. Bug: chromium:819298 Change-Id: I2ac7b0dac708fee9083eca2880bd5674a82daaa3 Reviewed-on: https://chromium-review.googlesource.com/955423Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#51805}
e583fc83 · Benedikt Meurer · Commit Bot · 36b32aa2 · e583fc83 · e583fc83
Commit e583fc83 authored Mar 08, 2018 by Benedikt Meurer Committed by Commit Bot Mar 08, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 4 deletions

typed-optimization.cc src/compiler/typed-optimization.cc +24 -4

regress-crbug-819298.js test/mjsunit/regress/regress-crbug-819298.js +17 -0

No files found.
--- a/src/compiler/typed-optimization.cc
+++ b/src/compiler/typed-optimization.cc
@@ -447,10 +447,30 @@ Reduction TypedOptimization::ReduceSpeculativeToNumber(Node* node) {
  DCHECK_EQ(IrOpcode::kSpeculativeToNumber, node->opcode());
  Node* const input = NodeProperties::GetValueInput(node, 0);
  Type* const input_type = NodeProperties::GetType(input);
-  if (input_type->Is(Type::Number())) {
-    // SpeculativeToNumber(x:number) => x
-    ReplaceWithValue(node, input);
-    return Replace(input);
+  switch (NumberOperationParametersOf(node->op()).hint()) {
+    case NumberOperationHint::kSigned32:
+      if (input_type->Is(Type::Signed32())) {
+        // SpeculativeToNumber(x:signed32) => x
+        ReplaceWithValue(node, input);
+        return Replace(input);
+      }
+      break;
+    case NumberOperationHint::kSignedSmall:
+    case NumberOperationHint::kSignedSmallInputs:
+      if (input_type->Is(Type::SignedSmall())) {
+        // SpeculativeToNumber(x:signed-small) => x
+        ReplaceWithValue(node, input);
+        return Replace(input);
+      }
+      break;
+    case NumberOperationHint::kNumber:
+    case NumberOperationHint::kNumberOrOddball:
+      if (input_type->Is(Type::Number())) {
+        // SpeculativeToNumber(x:number) => x
+        ReplaceWithValue(node, input);
+        return Replace(input);
+      }
+      break;
  }
  return NoChange();
 }

--- a/test/mjsunit/regress/regress-crbug-819298.js
+++ b/test/mjsunit/regress/regress-crbug-819298.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = new Int32Array(2);
+
+function foo(base) {
+  a[base - 91] = 1;
+}
+
+foo("");
+foo("");
+%OptimizeFunctionOnNextCall(foo);
+foo(NaN);
+assertEquals(0, a[0]);