From 2ee5aa951c4f3e3276c26d86e595de579e42efda Mon Sep 17 00:00:00 2001
From: "bmeurer@chromium.org"
 <bmeurer@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 15 Nov 2013 09:13:36 +0000
Subject: [PATCH] Fix missing type feedback check for Generic*String addition.

TEST=mjsunit/regress/regress-crbug-318671
BUG=318671
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/67473007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17772 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/hydrogen.cc                              | 28 +++++++++++++-------
 test/mjsunit/regress/regress-crbug-318671.js | 38 ++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 9 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-318671.js

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index b47ec80..67bea00 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8359,14 +8359,27 @@ HInstruction* HGraphBuilder::BuildBinaryOperation(
   // Special case for string addition here.
   if (op == Token::ADD &&
       (left_type->Is(Type::String()) || right_type->Is(Type::String()))) {
+    // Validate type feedback for left argument.
     if (left_type->Is(Type::String())) {
       IfBuilder if_isstring(this);
       if_isstring.If<HIsStringAndBranch>(left);
       if_isstring.Then();
       if_isstring.ElseDeopt("Expected string for LHS of binary operation");
-    } else if (left_type->Is(Type::Number())) {
+    }
+
+    // Validate type feedback for right argument.
+    if (right_type->Is(Type::String())) {
+      IfBuilder if_isstring(this);
+      if_isstring.If<HIsStringAndBranch>(right);
+      if_isstring.Then();
+      if_isstring.ElseDeopt("Expected string for RHS of binary operation");
+    }
+
+    // Convert left argument as necessary.
+    if (left_type->Is(Type::Number())) {
+      ASSERT(right_type->Is(Type::String()));
       left = BuildNumberToString(left, left_type);
-    } else {
+    } else if (!left_type->Is(Type::String())) {
       ASSERT(right_type->Is(Type::String()));
       HValue* function = AddLoadJSBuiltin(Builtins::STRING_ADD_RIGHT);
       Add<HPushArgument>(left);
@@ -8374,14 +8387,11 @@ HInstruction* HGraphBuilder::BuildBinaryOperation(
       return NewUncasted<HInvokeFunction>(function, 2);
     }
 
-    if (right_type->Is(Type::String())) {
-      IfBuilder if_isstring(this);
-      if_isstring.If<HIsStringAndBranch>(right);
-      if_isstring.Then();
-      if_isstring.ElseDeopt("Expected string for RHS of binary operation");
-    } else if (right_type->Is(Type::Number())) {
+    // Convert right argument as necessary.
+    if (right_type->Is(Type::Number())) {
+      ASSERT(left_type->Is(Type::String()));
       right = BuildNumberToString(right, right_type);
-    } else {
+    } else if (!right_type->Is(Type::String())) {
       ASSERT(left_type->Is(Type::String()));
       HValue* function = AddLoadJSBuiltin(Builtins::STRING_ADD_LEFT);
       Add<HPushArgument>(left);
diff --git a/test/mjsunit/regress/regress-crbug-318671.js b/test/mjsunit/regress/regress-crbug-318671.js
new file mode 100644
index 0000000..54a7d5e
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-318671.js
@@ -0,0 +1,38 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function add(x, y) { return x + y; }
+
+print(add({ a: 1 }, "a"));
+print(add({ b: 1 }, "b"));
+print(add({ c: 1 }, "c"));
+
+%OptimizeFunctionOnNextCall(add);
+
+print(add("a", 1));
-- 
2.7.4