diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 3416edebca..61ee03872d 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 4 #define V8_MINOR_VERSION 1 #define V8_BUILD_NUMBER 0 -#define V8_PATCH_LEVEL 25 +#define V8_PATCH_LEVEL 27 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/js-builtin-reducer.cc b/deps/v8/src/compiler/js-builtin-reducer.cc index 263b0feedd..ff9f7b4523 100644 --- a/deps/v8/src/compiler/js-builtin-reducer.cc +++ b/deps/v8/src/compiler/js-builtin-reducer.cc @@ -151,8 +151,8 @@ Reduction JSBuiltinReducer::ReduceMathMax(Node* node) { Node* const input = r.GetJSCallInput(i); value = graph()->NewNode( common()->Select(kMachNone), - graph()->NewNode(simplified()->NumberLessThan(), input, value), input, - value); + graph()->NewNode(simplified()->NumberLessThan(), input, value), value, + input); } return Replace(value); } diff --git a/deps/v8/src/hydrogen-bce.cc b/deps/v8/src/hydrogen-bce.cc index 18bd0affb6..3bf8e9f039 100644 --- a/deps/v8/src/hydrogen-bce.cc +++ b/deps/v8/src/hydrogen-bce.cc @@ -56,7 +56,8 @@ class BoundsCheckKey : public ZoneObject { constant = HConstant::cast(check->index()); } - if (constant != NULL && constant->HasInteger32Value()) { + if (constant != NULL && constant->HasInteger32Value() && + constant->Integer32Value() != kMinInt) { *offset = is_sub ? - constant->Integer32Value() : constant->Integer32Value(); } else { diff --git a/deps/v8/test/mjsunit/compiler/regress-468162.js b/deps/v8/test/mjsunit/compiler/regress-468162.js new file mode 100644 index 0000000000..47bff032d5 --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-468162.js @@ -0,0 +1,11 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +var asm = (function() { + "use asm"; + var max = Math.max; + return function f() { return max(0, -17); }; +})(); + +assertEquals(0, asm()); diff --git a/deps/v8/test/mjsunit/regress/regress-bce-underflow.js b/deps/v8/test/mjsunit/regress/regress-bce-underflow.js new file mode 100644 index 0000000000..daa776005e --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-bce-underflow.js @@ -0,0 +1,35 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function f(a, i, bool) { + var result; + if (bool) { + // Make sure i - -0x80000000 doesn't overflow in BCE, missing a check for + // x-0 later on. + result = f2(a, 0x7fffffff, i, i, -0x80000000); + } else { + result = f2(a, -3, 4, i, 0); + } + return result; +} + +function f2(a, c, x, i, d) { + return a[x + c] + a[x - 0] + a[i - d]; +} + + +var a = []; +var i = 0; +a.push(i++); +a.push(i++); +a.push(i++); +a.push(i++); +a.push(i++); +f(a, 0, false); +f(a, 0, false); +f(a, 0, false); +%OptimizeFunctionOnNextCall(f); +%DebugPrint(f(a, -0x7fffffff, true)); diff --git a/deps/v8/test/unittests/compiler/js-builtin-reducer-unittest.cc b/deps/v8/test/unittests/compiler/js-builtin-reducer-unittest.cc index 9c572820e7..eeb401373f 100644 --- a/deps/v8/test/unittests/compiler/js-builtin-reducer-unittest.cc +++ b/deps/v8/test/unittests/compiler/js-builtin-reducer-unittest.cc @@ -166,7 +166,7 @@ TEST_F(JSBuiltinReducerTest, MathMax2) { if (t0->Is(Type::Integral32()) && t1->Is(Type::Integral32())) { ASSERT_TRUE(r.Changed()); EXPECT_THAT(r.replacement(), - IsSelect(kMachNone, IsNumberLessThan(p1, p0), p1, p0)); + IsSelect(kMachNone, IsNumberLessThan(p1, p0), p0, p1)); } else { ASSERT_FALSE(r.Changed()); EXPECT_EQ(IrOpcode::kJSCallFunction, call->opcode());