Google Git
Sign in
android / platform / external / chromium_org / v8 / 908fbbb87371b50f61105e615c686f17a2ea4486^! / .
commit908fbbb87371b50f61105e615c686f17a2ea4486[log] [tgz]
authorbmeurer@chromium.org <bmeurer@chromium.org>Wed Sep 10 07:01:40 2014 +0000
committerbmeurer@chromium.org <bmeurer@chromium.org>Wed Sep 10 07:01:40 2014 +0000
treebf4abf1d74fca82da4c46ce6dc0ab874d95bf1b5
parent267831d92adc09d88f49f887b358eadb92a1585e [diff]
Version 3.28.71.9 (merged r23691)

Enforce correct number comparisons when inlining Array.indexOf.

BUG=407946
LOG=N
R=machenbach@chromium.org

Review URL: https://codereview.chromium.org/553373002

git-svn-id: https://v8.googlecode.com/svn/branches/3.28@23817 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 3ddd7cc..9f3945f 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc

@@ -8800,6 +8800,12 @@
 
   Push(graph()->GetConstantMinus1());
   if (IsFastDoubleElementsKind(kind) || IsFastSmiElementsKind(kind)) {
+    // Make sure that we can actually compare numbers correctly below, see
+    // https://code.google.com/p/chromium/issues/detail?id=407946 for details.
+    search_element = AddUncasted<HForceRepresentation>(
+        search_element, IsFastSmiElementsKind(kind) ? Representation::Smi()
+                                                    : Representation::Double());
+
     LoopBuilder loop(this, context(), direction);
     {
       HValue* index = loop.BeginBody(initial, terminating, token);
@@ -8807,12 +8813,8 @@
           elements, index, static_cast<HValue*>(NULL),
           kind, ALLOW_RETURN_HOLE);
       IfBuilder if_issame(this);
-      if (IsFastDoubleElementsKind(kind)) {
-        if_issame.If<HCompareNumericAndBranch>(
-            element, search_element, Token::EQ_STRICT);
-      } else {
-        if_issame.If<HCompareObjectEqAndBranch>(element, search_element);
-      }
+      if_issame.If<HCompareNumericAndBranch>(element, search_element,
+                                             Token::EQ_STRICT);
       if_issame.Then();
       {
         Drop(1);

diff --git a/src/version.cc b/src/version.cc
index 92b9be1..afcd7b8 100644
--- a/src/version.cc
+++ b/src/version.cc

@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     28
 #define BUILD_NUMBER      71
-#define PATCH_LEVEL 8
+#define PATCH_LEVEL 9
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0

diff --git a/test/mjsunit/regress/regress-crbug-407946.js b/test/mjsunit/regress/regress-crbug-407946.js
new file mode 100644
index 0000000..d5687cc
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-407946.js

@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(n) { return [0].indexOf((n - n) + 0); }
+
+assertEquals(0, f(.1));
+assertEquals(0, f(.1));
+%OptimizeFunctionOnNextCall(f);
+assertEquals(0, f(.1));