[v8-dev] Assert to protect against polymorphic string loads fires on valid stores. (issue 751513002 by [email protected])

Fri, 21 Nov 2014 01:20:13 -0800 

Reviewers: jarin,

Message:
Hi Jaro, could you have a look?
--Michael

Description:
Assert to protect against polymorphic string loads fires on valid stores.

BUG=435477
LOG=N
[email protected]

Please review this at https://codereview.chromium.org/751513002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+11, -9 lines):
  M src/hydrogen.cc
  A + test/mjsunit/regress/regress-435477.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 21ef8c019fb410b26214f1751c53e27e3a8579fb..c479b907178342b42555a021cb4cd1986685ff1a 100644 
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -7094,7 +7094,9 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess( 
   MapHandleList possible_transitioned_maps(maps->length());
   for (int i = 0; i < maps->length(); ++i) {
     Handle<Map> map = maps->at(i);
-    DCHECK(!map->IsStringMap());
+    // Loads from strings or loads with a mix of string and non-string maps
+    // shouldn't be handled polymorphically.
+    DCHECK(access_type != LOAD || !map->IsStringMap());
     ElementsKind elements_kind = map->elements_kind();
     if (CanInlineElementAccess(map) && IsFastElementsKind(elements_kind) &&
         elements_kind != GetInitialFastElementsKind()) {
Index: test/mjsunit/regress/regress-435477.js
diff --git a/test/mjsunit/regress/regress-alloc-smi-check.js b/test/mjsunit/regress/regress-435477.js 
similarity index 66%
copy from test/mjsunit/regress/regress-alloc-smi-check.js
copy to test/mjsunit/regress/regress-435477.js
index 295048a13ef862ceb21939de104e7968dd7772da..0a150002c9a1e692bd9e3bc3c94e3d2bffa8eca4 100644 
--- a/test/mjsunit/regress/regress-alloc-smi-check.js
+++ b/test/mjsunit/regress/regress-435477.js
@@ -1,16 +1,16 @@
 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-//
-// Flags: --allow-natives-syntax

-var x = {};
+// Flags: --allow-natives-syntax
+var a = new Array(128);

-function f(a) {
-  a[200000000] = x;
+function f(a, base) {
+  a[base] = 2;
 }

-f(new Array(100000));
-f([]);
+f(a, undefined);
+f("r12", undefined);
+f(a, 0);
 %OptimizeFunctionOnNextCall(f);
-f([]);
+f(a, 0);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to