From ec974ddb50e8db0d33cf4b423f387ec39739f297 Mon Sep 17 00:00:00 2001 From: "fschneider@chromium.org" Date: Thu, 18 Mar 2010 14:32:02 +0000 Subject: [PATCH] Fix bug when generating a fast smi loop. We may encounter an invalid frame after generating code for the loop body in case the loop body ends in an unconditional return. Before setting the type information for the loop variable we need to check for a valid frame. Review URL: http://codereview.chromium.org/1106002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4182 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/ia32/codegen-ia32.cc | 2 +- test/mjsunit/compiler/loopcount.js | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/ia32/codegen-ia32.cc b/src/ia32/codegen-ia32.cc index a13fa9047..39c665316 100644 --- a/src/ia32/codegen-ia32.cc +++ b/src/ia32/codegen-ia32.cc @@ -3766,7 +3766,7 @@ void CodeGenerator::VisitForStatement(ForStatement* node) { // Set the type of the loop variable to smi before compiling the test // expression if we are in a fast smi loop condition. - if (node->is_fast_smi_loop()) { + if (node->is_fast_smi_loop() && has_valid_frame()) { // Set number type of the loop variable to smi. Slot* slot = node->loop_variable()->slot(); ASSERT(slot->type() == Slot::LOCAL); diff --git a/test/mjsunit/compiler/loopcount.js b/test/mjsunit/compiler/loopcount.js index 736d9a779..da9bc6b7f 100644 --- a/test/mjsunit/compiler/loopcount.js +++ b/test/mjsunit/compiler/loopcount.js @@ -75,3 +75,12 @@ function f8() { return i; } assertEquals(0x40000002, f8()); + + +function f9() { + var i; + for (i = 0; i < 42; i++) { + return 42; + } +} +assertEquals(42, f9()); -- 2.34.1