From 8fbfad63cdedb0562a0230a1906b2722f98967d6 Mon Sep 17 00:00:00 2001 From: "mmassi@chromium.org" Date: Wed, 26 Sep 2012 09:57:30 +0000 Subject: [PATCH] Avoid wrong imul deopt on ia32 and x64 (fixes v8 bug 2339). BUG=v8:2339 Review URL: https://chromiumcodereview.appspot.com/10963032 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12614 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/ia32/lithium-codegen-ia32.cc | 5 ++- src/x64/lithium-codegen-x64.cc | 5 ++- test/mjsunit/regress/regress-1117.js | 15 +++++++-- test/mjsunit/regress/regress-2339.js | 59 ++++++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 5 deletions(-) create mode 100644 test/mjsunit/regress/regress-2339.js diff --git a/src/ia32/lithium-codegen-ia32.cc b/src/ia32/lithium-codegen-ia32.cc index 7d413b9..da17e29 100644 --- a/src/ia32/lithium-codegen-ia32.cc +++ b/src/ia32/lithium-codegen-ia32.cc @@ -1234,8 +1234,11 @@ void LCodeGen::DoMulI(LMulI* instr) { __ test(left, Operand(left)); __ j(not_zero, &done, Label::kNear); if (right->IsConstantOperand()) { - if (ToInteger32(LConstantOperand::cast(right)) <= 0) { + if (ToInteger32(LConstantOperand::cast(right)) < 0) { DeoptimizeIf(no_condition, instr->environment()); + } else if (ToInteger32(LConstantOperand::cast(right)) == 0) { + __ cmp(ToRegister(instr->temp()), Immediate(0)); + DeoptimizeIf(less, instr->environment()); } } else { // Test the non-zero operand for negative sign. diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc index cab8d37..8547b09 100644 --- a/src/x64/lithium-codegen-x64.cc +++ b/src/x64/lithium-codegen-x64.cc @@ -1125,8 +1125,11 @@ void LCodeGen::DoMulI(LMulI* instr) { __ testl(left, left); __ j(not_zero, &done, Label::kNear); if (right->IsConstantOperand()) { - if (ToInteger32(LConstantOperand::cast(right)) <= 0) { + if (ToInteger32(LConstantOperand::cast(right)) < 0) { DeoptimizeIf(no_condition, instr->environment()); + } else if (ToInteger32(LConstantOperand::cast(right)) == 0) { + __ cmpl(kScratchRegister, Immediate(0)); + DeoptimizeIf(less, instr->environment()); } } else if (right->IsStackSlot()) { __ orl(kScratchRegister, ToOperand(right)); diff --git a/test/mjsunit/regress/regress-1117.js b/test/mjsunit/regress/regress-1117.js index b013a22..981a1b7 100644 --- a/test/mjsunit/regress/regress-1117.js +++ b/test/mjsunit/regress/regress-1117.js @@ -25,11 +25,20 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// Flags: --allow-natives-syntax + // Test that we actually return the right value (-0) when we multiply // constant 0 with a negative integer. function foo(y) {return 0 * y; } -for( var i = 0; i< 1000000; i++){ - foo(42); -} assertEquals(1/foo(-42), -Infinity); +assertEquals(1/foo(-42), -Infinity); +%OptimizeFunctionOnNextCall(foo); +assertEquals(1/foo(-42), -Infinity); + +function bar(x) { return x * 0; } +assertEquals(Infinity, 1/bar(5)); +assertEquals(Infinity, 1/bar(5)); +%OptimizeFunctionOnNextCall(bar); +assertEquals(-Infinity, 1/bar(-5)); + diff --git a/test/mjsunit/regress/regress-2339.js b/test/mjsunit/regress/regress-2339.js new file mode 100644 index 0000000..b16821d --- /dev/null +++ b/test/mjsunit/regress/regress-2339.js @@ -0,0 +1,59 @@ +// Copyright 2012 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax --expose-gc + +/** + * The possible optimization states of a function. Must be in sync with the + * return values of Runtime_GetOptimizationStatus() in runtime.cc! + */ + +var OptimizationState = { + YES: 1, + NO: 2, + ALWAYS: 3, + NEVER: 4 +}; + +function simple() { + return simple_two_args(0, undefined); +} + +function simple_two_args(always_zero, always_undefined) { + var always_five = always_undefined || 5; + return always_zero * always_five * .5; +} + + +simple(); +simple(); +%OptimizeFunctionOnNextCall(simple); +simple(); +var raw_optimized = %GetOptimizationStatus(simple); +assertFalse(raw_optimized == OptimizationState.NO); +gc(); + -- 2.7.4