From b1a271a02c7f7ae0924e8e21e3772bb4eb7e2239 Mon Sep 17 00:00:00 2001 From: "yangguo@chromium.org" Date: Tue, 4 Mar 2014 08:08:08 +0000 Subject: [PATCH] Fix HCheckValue::Canonicalize wrt uninitialized HConstant unique. R=titzer@chromium.org BUG=348280 LOG=N Review URL: https://codereview.chromium.org/183383006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19642 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen-instructions.cc | 6 ++---- src/hydrogen-instructions.h | 4 ++++ test/mjsunit/regress/regress-348280.js | 16 ++++++++++++++++ 3 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 test/mjsunit/regress/regress-348280.js diff --git a/src/hydrogen-instructions.cc b/src/hydrogen-instructions.cc index a351349..802c0d6 100644 --- a/src/hydrogen-instructions.cc +++ b/src/hydrogen-instructions.cc @@ -1539,7 +1539,7 @@ bool HCheckMaps::HandleSideEffectDominator(GVNFlag side_effect, HStoreNamedField* store = HStoreNamedField::cast(dominator); if (!store->has_transition() || store->object() != value()) return false; HConstant* transition = HConstant::cast(store->transition()); - if (map_set_.Contains(transition->GetUnique())) { + if (map_set_.Contains(Unique::cast(transition->GetUnique()))) { DeleteAndReplaceWith(NULL); return true; } @@ -1567,9 +1567,7 @@ void HCheckValue::PrintDataTo(StringStream* stream) { HValue* HCheckValue::Canonicalize() { return (value()->IsConstant() && - HConstant::cast(value())->GetUnique() == object_) - ? NULL - : this; + HConstant::cast(value())->EqualsUnique(object_)) ? NULL : this; } diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h index f7a3554..52c31b3 100644 --- a/src/hydrogen-instructions.h +++ b/src/hydrogen-instructions.h @@ -3541,6 +3541,10 @@ class HConstant V8_FINAL : public HTemplateInstruction<0> { return object_; } + bool EqualsUnique(Unique other) const { + return object_.IsInitialized() && object_ == other; + } + #ifdef DEBUG virtual void Verify() V8_OVERRIDE { } #endif diff --git a/test/mjsunit/regress/regress-348280.js b/test/mjsunit/regress/regress-348280.js new file mode 100644 index 0000000..319c270 --- /dev/null +++ b/test/mjsunit/regress/regress-348280.js @@ -0,0 +1,16 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function baz(f) { f(); } +function goo() {} +baz(goo); +baz(goo); + +function bar(p) { if (p == 0) baz(1); } +bar(1); +bar(1); +%OptimizeFunctionOnNextCall(bar); +bar(1); -- 2.7.4