Revision: 24366
Author: [email protected]
Date: Wed Oct 1 13:17:34 2014 UTC
Log: Fix Hydrogen's BuildStore()
BUG=chromium:417508
LOG=y
[email protected]
Review URL: https://codereview.chromium.org/612423002
https://code.google.com/p/v8/source/detail?r=24366
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-crbug-417508.js
Modified:
/branches/bleeding_edge/src/hydrogen.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-crbug-417508.js
Wed Oct 1 13:17:34 2014 UTC
@@ -0,0 +1,29 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(x) {
+ var k = "value";
+ return x[k] = 1;
+}
+var obj = {};
+Object.defineProperty(obj, "value", {set: function(x) { throw "nope"; }});
+try { foo(obj); } catch(e) {}
+try { foo(obj); } catch(e) {}
+%OptimizeFunctionOnNextCall(foo);
+try { foo(obj); } catch(e) {}
+
+function bar(x) {
+ var k = "value";
+ return (x[k] = 1) ? "ok" : "nope";
+}
+var obj2 = {};
+Object.defineProperty(obj2, "value",
+ {set: function(x) { throw "nope"; return true; } });
+
+try { bar(obj2); } catch(e) {}
+try { bar(obj2); } catch(e) {}
+%OptimizeFunctionOnNextCall(bar);
+try { bar(obj2); } catch(e) {}
=======================================
--- /branches/bleeding_edge/src/hydrogen.cc Tue Sep 30 10:29:32 2014 UTC
+++ /branches/bleeding_edge/src/hydrogen.cc Wed Oct 1 13:17:34 2014 UTC
@@ -6450,16 +6450,19 @@
bool is_uninitialized) {
if (!prop->key()->IsPropertyName()) {
// Keyed store.
- HValue* value = environment()->ExpressionStackAt(0);
- HValue* key = environment()->ExpressionStackAt(1);
- HValue* object = environment()->ExpressionStackAt(2);
+ HValue* value = Pop();
+ HValue* key = Pop();
+ HValue* object = Pop();
bool has_side_effects = false;
- HandleKeyedElementAccess(object, key, value, expr, ast_id, return_id,
STORE,
- &has_side_effects);
- Drop(3);
- Push(value);
- Add<HSimulate>(return_id, REMOVABLE_SIMULATE);
- return ast_context()->ReturnValue(Pop());
+ HValue* result = HandleKeyedElementAccess(
+ object, key, value, expr, ast_id, return_id, STORE,
&has_side_effects);
+ if (has_side_effects) {
+ if (!ast_context()->IsEffect()) Push(value);
+ Add<HSimulate>(ast_id, REMOVABLE_SIMULATE);
+ if (!ast_context()->IsEffect()) Drop(1);
+ }
+ if (result == NULL) return;
+ return ast_context()->ReturnValue(value);
}
// Named store.
@@ -7089,7 +7092,7 @@
store_mode);
}
*has_side_effects |= instr->HasObservableSideEffects();
- return access_type == STORE ? NULL : instr;
+ return access_type == STORE ? val : instr;
}
HBasicBlock* join = graph()->CreateBasicBlock();
@@ -7142,7 +7145,7 @@
NoObservableSideEffectsScope scope(this);
FinishExitWithHardDeoptimization("Unknown map in polymorphic element
access");
set_current_block(join);
- return access_type == STORE ? NULL : Pop();
+ return access_type == STORE ? val : Pop();
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
