[v8-dev] Don't inline Array functions if receiver map is not extensible. (issue 552333002 by [email protected])

Tue, 09 Sep 2014 07:04:30 -0700 

Reviewers: Benedikt Meurer,

Message:
PTAL

Description:
Don't inline Array functions if receiver map is not extensible.

BUG=405517
LOG=N
TEST=mjsunit/regress/regress-crbug-405517.js

Please review this at https://codereview.chromium.org/552333002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+22, -3 lines):
  M src/hydrogen.cc
  A test/mjsunit/regress/regress-crbug-412319.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 35efe630aab242a6a88060021c55dd40c01df178..77f6506aad6fa1266343b30f95c65a8d1982300e 100644 
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8227,7 +8227,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( 
       ElementsKind elements_kind = receiver_map->elements_kind();
       if (!IsFastElementsKind(elements_kind)) return false;
       if (receiver_map->is_observed()) return false;
-      DCHECK(receiver_map->is_extensible());
+      if (!receiver_map->is_extensible()) return false;

       Drop(expr->arguments()->length());
       HValue* result;
@@ -8292,7 +8292,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( 
       if (!IsFastElementsKind(elements_kind)) return false;
       if (receiver_map->is_observed()) return false;
       if (JSArray::IsReadOnlyLengthDescriptor(receiver_map)) return false;
-      DCHECK(receiver_map->is_extensible());
+      if (!receiver_map->is_extensible()) return false;
// If there may be elements accessors in the prototype chain, the fast 
       // inlined version can't be used.
@@ -8459,7 +8459,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( 
       if (!IsFastElementsKind(kind)) return false;
       if (receiver_map->is_observed()) return false;
       if (argument_count != 2) return false;
-      DCHECK(receiver_map->is_extensible());
+      if (!receiver_map->is_extensible()) return false;
// If there may be elements accessors in the prototype chain, the fast 
       // inlined version can't be used.
Index: test/mjsunit/regress/regress-crbug-412319.js
diff --git a/test/mjsunit/regress/regress-crbug-412319.js b/test/mjsunit/regress/regress-crbug-412319.js 
new file mode 100644
index 0000000000000000000000000000000000000000..21386e3bd614f3ad0bdd3eb35dd2c41b8e7b76e2 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-412319.js
@@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function __f_6() {
+ var __v_7 = [0];
+ %PreventExtensions(__v_7);
+ for (var __v_6 = -2; __v_6 < 19; __v_6++) __v_7.shift();
+ __f_7(__v_7);
+}
+__f_6();
+__f_6();
+%OptimizeFunctionOnNextCall(__f_6);
+__f_6();
+function __f_7(__v_7) {
+  __v_7.push(Infinity);
+}


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to