Status: New
Owner: ----
New issue 2421 by [email protected]: Hydrogent generates incorrect code
http://code.google.com/p/v8/issues/detail?id=2421
Description follows after the test case.
```js
var counter = 0;
function it() {
if (counter > 100000) return;
return ++counter;
}
function call_iota() {
var s = 0;
var i = 0;
while (i !== undefined) {
s += i;
i = it();
}
return s;
}
print(call_iota());
```
This test case should exit at some point (after it() returns undefined).
However it doesn't, because the while loop never exits, even when `i`
becomes undefined.
I could reproduce this with v8 3.11.10.22, 3.13.7.4, and trunk *up to*
r12960. Starting with r12961
(https://chromiumcodereview.appspot.com/10837165) the test passes, but it
seems that was just a fortunate side-effect. In any case there are a couple
of "stable" v8 branches that have the bug.
FWIW, I tested with the x64 build on Windows 7.
See also https://github.com/joyent/node/issues/4231.
Looking at the disassembler output, it looks like the is-nil-and-branch
block that is responsible for the "i === undefined" check assumes that i is
represented as a tagged pointer and stored in rcx. However the return value
from the it() call is either immediately unboxed (when it is a double), or
stored in r10.
```
--- Raw source ---
() {
var s = 0;
var i = 0;
while (i !== undefined) {
s += i;
i = it();
}
}
--- Optimized code ---
kind = OPTIMIZED_FUNCTION
name = call_iota
stack_slots = 7
Instructions (size = 609)
000000000203FFE0 0 55 push rbp
000000000203FFE1 1 4889e5 REX.W movq rbp,rsp
000000000203FFE4 4 56 push rsi
000000000203FFE5 5 57 push rdi
000000000203FFE6 6 4883ec38 REX.W subq rsp,0x38
;;; @0: label.
;;; B0
;;; @1: gap.
;;; @2: parameter.
;;; @3: gap.
;;; @4: context.
000000000203FFEA 10 488bc6 REX.W movq rax,rsi
;;; @5: gap.
000000000203FFED 13 488945c8 REX.W movq [rbp-0x38],rax
;;; @6: gap.
;;; @7: goto.
;;; @8: label.
;;; B1
;;; @9: gap.
;;; @10: stack-check.
000000000203FFF1 17 493b6560 REX.W cmpq rsp,[r13+0x60]
000000000203FFF5 21 7305 jnc 28 (000000000203FFFC)
000000000203FFF7 23 e88427fdff call 0000000002012780 ;; code:
STUB, StackCheckStub, minor: 0
;;; @11: gap.
;;; @12: gap.
;;; @13: goto.
000000000203FFFC 28 e987000000 jmp 168 (0000000002040088)
;;; @14: label.
;;; B2
;;; @15: gap.
;;; @16: unknown-osr-value.
;;; @17: gap.
;;; @18: unknown-osr-value.
;;; @19: gap.
;;; @20: unknown-osr-value.
;;; @21: gap.
;;; @22: unknown-osr-value.
;;; @23: gap.
;;; @24: osr-entry.
;;; @25: gap.
;;; @26: context.
0000000002040001 33 488bc6 REX.W movq rax,rsi
;;; @27: gap.
0000000002040004 36 488b5dd8 REX.W movq rbx,[rbp-0x28]
;;; @28: double-untag.
0000000002040008 40 f6c301 testb rbx,0x1
000000000204000B 43 7424 jz 81 (0000000002040031)
000000000204000D 45 4d8b55f8 REX.W movq r10,[r13-0x8]
0000000002040011 49 4c3953ff REX.W cmpq [rbx-0x1],r10
0000000002040015 53 7413 jz 74 (000000000204002A)
0000000002040017 55 493b5da8 REX.W cmpq rbx,[r13-0x58]
000000000204001B 59 0f85b5010000 jnz 502 (00000000020401D6)
0000000002040021 65 0f57c9 xorps xmm1, xmm1
0000000002040024 68 f20f5ec9 divsd xmm1,xmm1
0000000002040028 72 eb13 jmp 93 (000000000204003D)
000000000204002A 74 f20f104b07 movsd xmm1,[rbx+0x7]
000000000204002F 79 eb0c jmp 93 (000000000204003D)
0000000002040031 81 4c8bd3 REX.W movq r10,rbx
0000000002040034 84 49c1ea20 REX.W shrq r10,32
0000000002040038 88 f2410f2aca cvtsi2sd xmm1,r10
;;; @29: gap.
000000000204003D 93 488b55d0 REX.W movq rdx,[rbp-0x30]
;;; @30: double-untag.
0000000002040041 97 f6c201 testb rdx,0x1
0000000002040044 100 7424 jz 138 (000000000204006A)
0000000002040046 102 4d8b55f8 REX.W movq r10,[r13-0x8]
000000000204004A 106 4c3952ff REX.W cmpq [rdx-0x1],r10
000000000204004E 110 7413 jz 131 (0000000002040063)
0000000002040050 112 493b55a8 REX.W cmpq rdx,[r13-0x58]
0000000002040054 116 0f8589010000 jnz 515 (00000000020401E3)
000000000204005A 122 0f57d2 xorps xmm2, xmm2
000000000204005D 125 f20f5ed2 divsd xmm2,xmm2
0000000002040061 129 eb13 jmp 150 (0000000002040076)
0000000002040063 131 f20f105207 movsd xmm2,[rdx+0x7]
0000000002040068 136 eb0c jmp 150 (0000000002040076)
000000000204006A 138 4c8bd2 REX.W movq r10,rdx
000000000204006D 141 49c1ea20 REX.W shrq r10,32
0000000002040071 145 f2410f2ad2 cvtsi2sd xmm2,r10
;;; @31: gap.
;;; @32: gap.
0000000002040076 150 488b5de8 REX.W movq rbx,[rbp-0x18]
000000000204007A 154 0f28c2 movaps xmm0, xmm2
000000000204007D 157 0f28d1 movaps xmm2, xmm1
0000000002040080 160 0f28c8 movaps xmm1, xmm0
;;; @33: goto.
0000000002040083 163 e90e000000 jmp 182 (0000000002040096)
;;; @34: label.
;;; B3
;;; @35: gap.
;;; @36: constant-d.
0000000002040088 168 0f57c9 xorps xmm1, xmm1
;;; @37: gap.
;;; @38: gap.
000000000204008B 171 488b5d10 REX.W movq rbx,[rbp+0x10]
000000000204008F 175 488b45c8 REX.W movq rax,[rbp-0x38]
0000000002040093 179 0f28d1 movaps xmm2, xmm1
;;; @39: goto.
;;; @40: label.
;;; B4
0000000002040096 182 48895dd8 REX.W movq [rbp-0x28],rbx
;;; @41: gap.
;;; @42: global-object.
000000000204009A 186 488b4627 REX.W movq rax,[rsi+0x27]
;;; @43: gap.
;;; @44: global-receiver.
000000000204009E 190 488b402f REX.W movq rax,[rax+0x2f]
;;; @45: gap.
00000000020400A2 194 488945d0 REX.W movq [rbp-0x30],rax
;;; @46: gap.
;;; @47: goto.
;;; @48: label.
;;; B5 - LOOP entry
00000000020400A6 198 f20f114dc0 movsd [rbp-0x40],xmm1
;;; @49: gap.
;;; @50: number-tag-d.
00000000020400AB 203 498b8d10080000 REX.W movq rcx,[r13+0x810]
00000000020400B2 210 488bd1 REX.W movq rdx,rcx
00000000020400B5 213 4883c210 REX.W addq rdx,0x10
00000000020400B9 217 0f82cb000000 jc 426 (000000000204018A)
00000000020400BF 223 493b9518080000 REX.W cmpq rdx,[r13+0x818]
00000000020400C6 230 0f87be000000 ja 426 (000000000204018A)
00000000020400CC 236 49899510080000 REX.W movq [r13+0x810],rdx
00000000020400D3 243 4883c101 REX.W addq rcx,0x1
00000000020400D7 247 4d8b55f8 REX.W movq r10,[r13-0x8]
00000000020400DB 251 4c8951ff REX.W movq [rcx-0x1],r10
00000000020400DF 255 f20f114907 movsd [rcx+0x7],xmm1
;;; @51: gap.
;;; @52: gap.
;;; @53: is-nil-and-branch.
00000000020400E4 260 493b4da8 REX.W cmpq rcx,[r13-0x58]
00000000020400E8 264 0f848b000000 jz 409 (0000000002040179)
;;; @58: label.
;;; B7
;;; @59: gap.
00000000020400EE 270 0f28da movaps xmm3, xmm2
;;; @60: add-d.
00000000020400F1 273 f20f58d9 addsd xmm3,xmm1
;;; @61: gap.
00000000020400F5 277 f20f115db8 movsd [rbp-0x48],xmm3
;;; @62: load-global-cell.
00000000020400FA 282 48ba1891008900000000 REX.W movq
rdx,0000000089009118 ;; global property cell
0000000002040104 292 488b12 REX.W movq rdx,[rdx]
;;; @63: gap.
;;; @64: check-function.
0000000002040107 295 49ba81abb5d900000000 REX.W movq
r10,00000000D9B5AB81 ;; object: 00000000D9B5AB81 <JS Function it>
0000000002040111 305 493bd2 REX.W cmpq rdx,r10
0000000002040114 308 0f85d6000000 jnz 528 (00000000020401F0)
;;; @65: gap.
;;; @66: push-argument.
000000000204011A 314 50 push rax
;;; @67: gap.
;;; @68: call-known-global.
000000000204011B 315 48bf81abb5d900000000 REX.W movq
rdi,00000000D9B5AB81 ;; object: 00000000D9B5AB81 <JS Function it>
0000000002040125 325 488b772f REX.W movq rsi,[rdi+0x2f]
0000000002040129 329 4c89e1 REX.W movq rcx,r12
000000000204012C 332 ff5717 call [rdi+0x17] ;; debug:
position 191
000000000204012F 335 488b75f8 REX.W movq rsi,[rbp-0x8]
;;; @69: gap.
;;; @70: lazy-bailout.
;;; @71: gap.
;;; @72: double-untag.
0000000002040133 339 a801 test al,0x1
0000000002040135 341 7424 jz 379 (000000000204015B)
0000000002040137 343 4d8b55f8 REX.W movq r10,[r13-0x8]
000000000204013B 347 4c3950ff REX.W cmpq [rax-0x1],r10
000000000204013F 351 7413 jz 372 (0000000002040154)
0000000002040141 353 493b45a8 REX.W cmpq rax,[r13-0x58]
0000000002040145 357 0f85b2000000 jnz 541 (00000000020401FD)
000000000204014B 363 0f57c9 xorps xmm1, xmm1
000000000204014E 366 f20f5ec9 divsd xmm1,xmm1
0000000002040152 370 eb13 jmp 391 (0000000002040167)
0000000002040154 372 f20f104807 movsd xmm1,[rax+0x7]
0000000002040159 377 eb0c jmp 391 (0000000002040167)
000000000204015B 379 4c8bd0 REX.W movq r10,rax
000000000204015E 382 49c1ea20 REX.W shrq r10,32
0000000002040162 386 f2410f2aca cvtsi2sd xmm1,r10
;;; @73: gap.
;;; @74: gap.
0000000002040167 391 f20f1055b8 movsd xmm2,[rbp-0x48]
000000000204016C 396 488b5dd8 REX.W movq rbx,[rbp-0x28]
0000000002040170 400 488b45d0 REX.W movq rax,[rbp-0x30]
;;; @75: goto.
0000000002040174 404 e92dffffff jmp 198 (00000000020400A6)
;;; @80: label.
;;; B9
;;; @81: gap.
;;; @82: constant-t.
0000000002040179 409 48b82141b0d900000000 REX.W movq
rax,00000000D9B04121 ;; object: 00000000D9B04121 <undefined>
;;; @83: gap.
;;; @84: return.
0000000002040183 419 488be5 REX.W movq rsp,rbp
0000000002040186 422 5d pop rbp
0000000002040187 423 c20800 ret 0x8
;;; @85: gap.
;;; Deferred code @50: number-tag-d.
000000000204018A 426 33c9 xorl rcx,rcx
000000000204018C 428 50 push rax
000000000204018D 429 51 push rcx
000000000204018E 430 52 push rdx
000000000204018F 431 53 push rbx
0000000002040190 432 56 push rsi
0000000002040191 433 57 push rdi
0000000002040192 434 4150 push r8
0000000002040194 436 4151 push r9
0000000002040196 438 4153 push r11
0000000002040198 440 4156 push r14
000000000204019A 442 4157 push r15
000000000204019C 444 488d6424d8 REX.W leaq rsp,[rsp-0x28]
00000000020401A1 449 488b75f8 REX.W movq rsi,[rbp-0x8]
00000000020401A5 453 33c0 xorl rax,rax
00000000020401A7 455 48bb60af4b3f01000000 REX.W movq rbx,000000013F4BAF60
00000000020401B1 465 e86a64fcff call 0000000002006620 ;; code:
STUB, CEntryStub, minor: 1
00000000020401B6 470 4c8bd0 REX.W movq r10,rax
00000000020401B9 473 488d642428 REX.W leaq rsp,[rsp+0x28]
00000000020401BE 478 415f pop r15
00000000020401C0 480 415e pop r14
00000000020401C2 482 415b pop r11
00000000020401C4 484 4159 pop r9
00000000020401C6 486 4158 pop r8
00000000020401C8 488 5f pop rdi
00000000020401C9 489 5e pop rsi
00000000020401CA 490 5b pop rbx
00000000020401CB 491 5a pop rdx
00000000020401CC 492 59 pop rcx
00000000020401CD 493 58 pop rax
00000000020401CE 494 498bca REX.W movq rcx,r10
00000000020401D1 497 e909ffffff jmp 255 (00000000020400DF)
00000000020401D6 502 49ba1460100200000000 REX.W movq
r10,0000000002106014 ;; deoptimization bailout 2
00000000020401E0 512 41ffe2 jmp r10
00000000020401E3 515 49ba1e60100200000000 REX.W movq
r10,000000000210601E ;; deoptimization bailout 3
00000000020401ED 525 41ffe2 jmp r10
00000000020401F0 528 49ba2860100200000000 REX.W movq
r10,0000000002106028 ;; deoptimization bailout 4
00000000020401FA 538 41ffe2 jmp r10
00000000020401FD 541 49ba3c60100200000000 REX.W movq
r10,000000000210603C ;; deoptimization bailout 6
0000000002040207 551 41ffe2 jmp r10
000000000204020A 554 90 nop
000000000204020B 555 90 nop
000000000204020C 556 90 nop
000000000204020D 557 90 nop
000000000204020E 558 90 nop
000000000204020F 559 90 nop
0000000002040210 560 90 nop
0000000002040211 561 90 nop
0000000002040212 562 90 nop
0000000002040213 563 90 nop
0000000002040214 564 90 nop
0000000002040215 565 90 nop
0000000002040216 566 90 nop
0000000002040217 567 90 nop
;;; Safepoint table.
```
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
