Bug 1528829 - Restrict ExtractLinearSum to monotonous operation in infinite math space. r=jandem,sunfish, a=lizzard
authorNicolas B. Pierron <nicolas.b.pierron@nbp.name>
Tue, 19 Feb 2019 15:41:23 +0100
changeset 516109 197546cf8331433a7428de57a377215867a4250d
parent 516108 59a0b8b45c1e6a010397244e9030d9e3c80e2d86
child 516110 d5cdb1c49f3983fb7f84d424f66e86622fce9d0c
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, sunfish, lizzard
bugs1528829
milestone66.0
Bug 1528829 - Restrict ExtractLinearSum to monotonous operation in infinite math space. r=jandem,sunfish, a=lizzard Thanks to Bruno Keith & Niklas Baumstark from the phoenhex team for finding this issue and reporting it with a proper analysis. Differential Revision: https://phabricator.services.mozilla.com/D20343
js/src/jit/IonAnalysis.cpp
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -3414,16 +3414,24 @@ static MathSpace ExtractMathSpace(MDefin
       return MathSpace::Infinite;
     case MDefinition::IndirectTruncate:
     case MDefinition::Truncate:
       return MathSpace::Modulo;
   }
   MOZ_MAKE_COMPILER_ASSUME_IS_UNREACHABLE("Unknown TruncateKind");
 }
 
+static bool MonotoneAdd(int32_t lhs, int32_t rhs) {
+  return (lhs >= 0 && rhs >= 0) || (lhs <= 0 && rhs <= 0);
+}
+
+static bool MonotoneSub(int32_t lhs, int32_t rhs) {
+  return (lhs >= 0 && rhs <= 0) || (lhs <= 0 && rhs >= 0);
+}
+
 // Extract a linear sum from ins, if possible (otherwise giving the
 // sum 'ins + 0').
 SimpleLinearSum jit::ExtractLinearSum(MDefinition* ins, MathSpace space) {
   if (ins->isBeta()) {
     ins = ins->getOperand(0);
   }
 
   if (ins->type() != MIRType::Int32) {
@@ -3463,29 +3471,31 @@ SimpleLinearSum jit::ExtractLinearSum(MD
     return SimpleLinearSum(ins, 0);
   }
 
   // Check if this is of the form <SUM> + n or n + <SUM>.
   if (ins->isAdd()) {
     int32_t constant;
     if (space == MathSpace::Modulo) {
       constant = uint32_t(lsum.constant) + uint32_t(rsum.constant);
-    } else if (!SafeAdd(lsum.constant, rsum.constant, &constant)) {
+    } else if (!SafeAdd(lsum.constant, rsum.constant, &constant) ||
+               !MonotoneAdd(lsum.constant, rsum.constant)) {
       return SimpleLinearSum(ins, 0);
     }
     return SimpleLinearSum(lsum.term ? lsum.term : rsum.term, constant);
   }
 
   MOZ_ASSERT(ins->isSub());
   // Check if this is of the form <SUM> - n.
   if (lsum.term) {
     int32_t constant;
     if (space == MathSpace::Modulo) {
       constant = uint32_t(lsum.constant) - uint32_t(rsum.constant);
-    } else if (!SafeSub(lsum.constant, rsum.constant, &constant)) {
+    } else if (!SafeSub(lsum.constant, rsum.constant, &constant) ||
+               !MonotoneSub(lsum.constant, rsum.constant)) {
       return SimpleLinearSum(ins, 0);
     }
     return SimpleLinearSum(lsum.term, constant);
   }
 
   // Ignore any of the form n - <SUM>.
   return SimpleLinearSum(ins, 0);
 }