Fix HCheckValue::Canonicalize wrt uninitialized HConstant unique.

author yangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>

Tue, 4 Mar 2014 08:08:08 +0000 (08:08 +0000)

committer yangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>

Tue, 4 Mar 2014 08:08:08 +0000 (08:08 +0000)
author yangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 4 Mar 2014 08:08:08 +0000 (08:08 +0000)
committer yangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 4 Mar 2014 08:08:08 +0000 (08:08 +0000)
diff --git a/src/hydrogen-instructions.cc b/src/hydrogen-instructions.cc

index a351349..802c0d6 100644 (file)
--- a/src/hydrogen-instructions.cc
+++ b/src/hydrogen-instructions.cc
@@ -1539,7 +1539,7 @@ bool HCheckMaps::HandleSideEffectDominator(GVNFlag side_effect,
      HStoreNamedField* store = HStoreNamedField::cast(dominator);
      if (!store->has_transition() || store->object() != value()) return false;
      HConstant* transition = HConstant::cast(store->transition());
-    if (map_set_.Contains(transition->GetUnique())) {
+    if (map_set_.Contains(Unique<Map>::cast(transition->GetUnique()))) {
        DeleteAndReplaceWith(NULL);
        return true;
      }
@@ -1567,9 +1567,7 @@ void HCheckValue::PrintDataTo(StringStream* stream) {
  
  HValue* HCheckValue::Canonicalize() {
    return (value()->IsConstant() &&
-          HConstant::cast(value())->GetUnique() == object_)
-      ? NULL
-      : this;
+          HConstant::cast(value())->EqualsUnique(object_)) ? NULL : this;
  }
  
  
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h

index f7a3554..52c31b3 100644 (file)
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -3541,6 +3541,10 @@ class HConstant V8_FINAL : public HTemplateInstruction<0> {
      return object_;
    }
  
+  bool EqualsUnique(Unique<Object> other) const {
+    return object_.IsInitialized() && object_ == other;
+  }
+
  #ifdef DEBUG
    virtual void Verify() V8_OVERRIDE { }
  #endif
diff --git a/test/mjsunit/regress/regress-348280.js b/test/mjsunit/regress/regress-348280.js

new file mode 100644 (file)

index 0000000..319c270
--- /dev/null
+++ b/test/mjsunit/regress/regress-348280.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function baz(f) { f(); }
+function goo() {}
+baz(goo);
+baz(goo);
+
+function bar(p) { if (p == 0) baz(1); }
+bar(1);
+bar(1);
+%OptimizeFunctionOnNextCall(bar);
+bar(1);
author	yangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Tue, 4 Mar 2014 08:08:08 +0000 (08:08 +0000)
committer	yangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Tue, 4 Mar 2014 08:08:08 +0000 (08:08 +0000)
src/hydrogen-instructions.cc		patch \| blob \| history
src/hydrogen-instructions.h		patch \| blob \| history
test/mjsunit/regress/regress-348280.js	[new file with mode: 0644]	patch \| blob