[crankshaft] Range analysis should not rely on overflowed ranges.

isheludko · Commit bot · commit 9a0109d72e3d · 2016-10-12T09:06:32.000Z
BUG=chromium:645438 Review-Url: https://codereview.chromium.org/2412853002 Cr-Commit-Position: refs/heads/master@{#40202}
diff --git a/src/crankshaft/hydrogen-instructions.cc b/src/crankshaft/hydrogen-instructions.cc
@@ -259,7 +259,11 @@ bool Range::AddAndCheckOverflow(const Representation& r, Range* other) {
   bool may_overflow = false;
   lower_ = AddWithoutOverflow(r, lower_, other->lower(), &may_overflow);
   upper_ = AddWithoutOverflow(r, upper_, other->upper(), &may_overflow);
-  KeepOrder();
+  if (may_overflow) {
+    Clear();
+  } else {
+    KeepOrder();
+  }
 #ifdef DEBUG
   Verify();
 #endif
@@ -271,13 +275,21 @@ bool Range::SubAndCheckOverflow(const Representation& r, Range* other) {
   bool may_overflow = false;
   lower_ = SubWithoutOverflow(r, lower_, other->upper(), &may_overflow);
   upper_ = SubWithoutOverflow(r, upper_, other->lower(), &may_overflow);
-  KeepOrder();
+  if (may_overflow) {
+    Clear();
+  } else {
+    KeepOrder();
+  }
 #ifdef DEBUG
   Verify();
 #endif
   return may_overflow;
 }
 
+void Range::Clear() {
+  lower_ = kMinInt;
+  upper_ = kMaxInt;
+}
 
 void Range::KeepOrder() {
   if (lower_ > upper_) {
@@ -301,8 +313,12 @@ bool Range::MulAndCheckOverflow(const Representation& r, Range* other) {
   int v2 = MulWithoutOverflow(r, lower_, other->upper(), &may_overflow);
   int v3 = MulWithoutOverflow(r, upper_, other->lower(), &may_overflow);
   int v4 = MulWithoutOverflow(r, upper_, other->upper(), &may_overflow);
-  lower_ = Min(Min(v1, v2), Min(v3, v4));
-  upper_ = Max(Max(v1, v2), Max(v3, v4));
+  if (may_overflow) {
+    Clear();
+  } else {
+    lower_ = Min(Min(v1, v2), Min(v3, v4));
+    upper_ = Max(Max(v1, v2), Max(v3, v4));
+  }
 #ifdef DEBUG
   Verify();
 #endif
diff --git a/src/crankshaft/hydrogen-instructions.h b/src/crankshaft/hydrogen-instructions.h
@@ -235,6 +235,7 @@ class Range final : public ZoneObject {
     lower_ = Max(lower_, Smi::kMinValue);
     upper_ = Min(upper_, Smi::kMaxValue);
   }
+  void Clear();
   void KeepOrder();
 #ifdef DEBUG
   void Verify() const;
diff --git a/test/mjsunit/regress/regress-crbug-645438.js b/test/mjsunit/regress/regress-crbug-645438.js
@@ -0,0 +1,16 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function n(x,y){
+  y = (y-(0x80000000|0)|0);
+  return (x/y)|0;
+};
+var x = -0x80000000;
+var y = 0x7fffffff;
+n(x,y);
+n(x,y);
+%OptimizeFunctionOnNextCall(n);
+assertEquals(x, n(x,y));

Original file line number	Diff line number	Diff line change
`@@ -235,6 +235,7 @@ class Range final : public ZoneObject {`
`235`	`235`	`lower_ = Max(lower_, Smi::kMinValue);`
`236`	`236`	`upper_ = Min(upper_, Smi::kMaxValue);`
`237`	`237`	`}`
	`238`	`+ void Clear();`
`238`	`239`	`void KeepOrder();`
`239`	`240`	`#ifdef DEBUG`
`240`	`241`	`void Verify() const;`