Reviewers: Igor Sheludko,
Description:
Version 3.29.88.4 (merged r24366)
Fix Hydrogen's BuildStore()
BUG=chromium:417508
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/629973003/
SVN Base: https://v8.googlecode.com/svn/branches/3.29
Affected files (+44, -12 lines):
M src/hydrogen.cc
M src/version.cc
A test/mjsunit/regress/regress-crbug-417508.js
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
e8360a09f98d516aa682806960a6e6b9705c88cf..37ee2e493b3aa3ab692107b4812717d158692d90
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -6426,16 +6426,19 @@ void HOptimizedGraphBuilder::BuildStore(Expression*
expr,
bool is_uninitialized) {
if (!prop->key()->IsPropertyName()) {
// Keyed store.
- HValue* value = environment()->ExpressionStackAt(0);
- HValue* key = environment()->ExpressionStackAt(1);
- HValue* object = environment()->ExpressionStackAt(2);
+ HValue* value = Pop();
+ HValue* key = Pop();
+ HValue* object = Pop();
bool has_side_effects = false;
- HandleKeyedElementAccess(object, key, value, expr, ast_id, return_id,
STORE,
- &has_side_effects);
- Drop(3);
- Push(value);
- Add<HSimulate>(return_id, REMOVABLE_SIMULATE);
- return ast_context()->ReturnValue(Pop());
+ HValue* result = HandleKeyedElementAccess(
+ object, key, value, expr, ast_id, return_id, STORE,
&has_side_effects);
+ if (has_side_effects) {
+ if (!ast_context()->IsEffect()) Push(value);
+ Add<HSimulate>(ast_id, REMOVABLE_SIMULATE);
+ if (!ast_context()->IsEffect()) Drop(1);
+ }
+ if (result == NULL) return;
+ return ast_context()->ReturnValue(value);
}
// Named store.
@@ -7065,7 +7068,7 @@ HValue*
HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
store_mode);
}
*has_side_effects |= instr->HasObservableSideEffects();
- return access_type == STORE ? NULL : instr;
+ return access_type == STORE ? val : instr;
}
HBasicBlock* join = graph()->CreateBasicBlock();
@@ -7118,7 +7121,7 @@ HValue*
HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
NoObservableSideEffectsScope scope(this);
FinishExitWithHardDeoptimization("Unknown map in polymorphic element
access");
set_current_block(join);
- return access_type == STORE ? NULL : Pop();
+ return access_type == STORE ? val : Pop();
}
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
95015548403b2b356c07ff812de096bffc03e78d..b0e559e312a3dc01cfa14efbba2df8556cad222c
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 29
#define BUILD_NUMBER 88
-#define PATCH_LEVEL 3
+#define PATCH_LEVEL 4
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-417508.js
diff --git a/test/mjsunit/regress/regress-crbug-417508.js
b/test/mjsunit/regress/regress-crbug-417508.js
new file mode 100644
index
0000000000000000000000000000000000000000..589fb88443b2a4742e2334d4e5ea2ead6cbcd3bf
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-417508.js
@@ -0,0 +1,29 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(x) {
+ var k = "value";
+ return x[k] = 1;
+}
+var obj = {};
+Object.defineProperty(obj, "value", {set: function(x) { throw "nope"; }});
+try { foo(obj); } catch(e) {}
+try { foo(obj); } catch(e) {}
+%OptimizeFunctionOnNextCall(foo);
+try { foo(obj); } catch(e) {}
+
+function bar(x) {
+ var k = "value";
+ return (x[k] = 1) ? "ok" : "nope";
+}
+var obj2 = {};
+Object.defineProperty(obj2, "value",
+ {set: function(x) { throw "nope"; return true; } });
+
+try { bar(obj2); } catch(e) {}
+try { bar(obj2); } catch(e) {}
+%OptimizeFunctionOnNextCall(bar);
+try { bar(obj2); } catch(e) {}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
