-
bmeurer authored
The LoadBuffer operator that is used for asm.js heap access claims to return only the appropriate typed array type, but out of bounds access could make it return undefined. So far we tried to "repair" the graph later if we see that our assumption was wrong, and for various reasons that worked for some time. But now that wrong type information that is propagated earlier is picked up appropriately and thus we generate wrong code, i.e. we in the repro case we feed NaN into ChangeFloat64Uint32 and thus get 2147483648 instead of 0 (with proper JS truncation). This was always considered a temporary hack until we have a proper asm.js pipeline, but since we still run asm.js through the generic JavaScript pipeline, we have to address this now. Quickfix is to just bailout from the pipeline when we see that the LoadBuffer type was wrong, i.e. the result of LoadBuffer is not properly truncated and thus undefined or NaN would be observable. R=mstarzinger@chromium.org, jarin@chromium.org BUG=chromium:589792 LOG=y Review URL: https://codereview.chromium.org/1740123002 Cr-Commit-Position: refs/heads/master@{#34322}
58ab990a
