[crankshaft] Fix HAliasAnalyzer for constants
BUG=chromium:722756
Change-Id: I04fc7fa0b8ef1e56d25f829fc5c8f53ae439aa52
Reviewed-on: https://chromium-review.googlesource.com/507209
Reviewed-by: Daniel Clifford <danno@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45375}
diff --git a/src/crankshaft/hydrogen-alias-analysis.h b/src/crankshaft/hydrogen-alias-analysis.h
index 1f32b7a..d06aabc 100644
--- a/src/crankshaft/hydrogen-alias-analysis.h
+++ b/src/crankshaft/hydrogen-alias-analysis.h
@@ -43,7 +43,7 @@
}
// Constant objects can be distinguished statically.
- if (a->IsConstant()) {
+ if (a->IsConstant() && b->IsConstant()) {
return a->Equals(b) ? kMustAlias : kNoAlias;
}
return kMayAlias;
diff --git a/test/mjsunit/regress/regress-crbug-722756.js b/test/mjsunit/regress/regress-crbug-722756.js
new file mode 100644
index 0000000..b4d82ad
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-722756.js
@@ -0,0 +1,40 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var array = [[{}], [1.1]];
+
+function transition() {
+ for(var i = 0; i < array.length; i++){
+ var arr = array[i];
+ arr[0] = {};
+ }
+}
+
+var double_arr2 = [1.1,2.2];
+
+var flag = 0;
+function swap() {
+ try {} catch(e) {} // Prevent Crankshaft from inlining this.
+ if (flag == 1) {
+ array[1] = double_arr2;
+ }
+}
+
+var expected = 6.176516726456e-312;
+function f(){
+ swap();
+ double_arr2[0] = 1;
+ transition();
+ double_arr2[1] = expected;
+}
+
+for(var i = 0; i < 3; i++) {
+ f();
+}
+%OptimizeFunctionOnNextCall(f);
+flag = 1;
+f();
+assertEquals(expected, double_arr2[1]);