Reviewers: mvstanton,
Message:
Hi Michael, here is the fix we discussed. PTAL.
Description:
Monomorphic and polymorphic ICs with cleared maps should not go megamorphic.
BUG=v8:3663
TEST=cctest/test-heap/MonomorphicStaysMonomorphicAfterGC
LOG=N
Please review this at https://codereview.chromium.org/816653002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+92, -1 lines):
M src/ic/ic.cc
M test/cctest/test-heap.cc
Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index
2ee76374c7137cc3897130ccdecf56ff3e5deff2..cd8b0835b12762d72561e3e457266401260a9f78
100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -832,7 +832,10 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name,
Handle<Code> code) {
number_of_types - deprecated_types - (handler_to_overwrite != -1);
if (number_of_valid_types >= 4) return false;
- if (number_of_types == 0) return false;
+ if (number_of_types == 0 && state() != MONOMORPHIC &&
+ state() != POLYMORPHIC) {
+ return false;
+ }
if (UseVector()) {
if (!nexus()->FindHandlers(&handlers, types.length())) return false;
} else {
Index: test/cctest/test-heap.cc
diff --git a/test/cctest/test-heap.cc b/test/cctest/test-heap.cc
index
2d15786f89ee03af59847a8e2687d3b5ef1f412d..e3fb806d3be5969934215f91372bbb22b0dab0e9
100644
--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -4639,6 +4639,94 @@ TEST(WeakMapInMonomorphicCompareNilIC) {
}
+Handle<JSFunction> GetFunctionByName(Isolate* isolate, const char* name) {
+ Handle<String> str = isolate->factory()->InternalizeUtf8String(name);
+ Handle<Object> obj =
+ Object::GetProperty(isolate->global_object(), str).ToHandleChecked();
+ return Handle<JSFunction>::cast(obj);
+}
+
+
+void CheckIC(Code* code, Code::Kind kind, InlineCacheState state) {
+ Code* ic = FindFirstIC(code, kind);
+ CHECK(ic->is_inline_cache_stub());
+ CHECK(ic->ic_state() == state);
+}
+
+
+TEST(MonomorphicStaysMonomorphicAfterGC) {
+ if (FLAG_always_opt) return;
+ // TODO(mvstanton): vector ics need weak support!
+ if (FLAG_vector_ics) return;
+ CcTest::InitializeVM();
+ Isolate* isolate = CcTest::i_isolate();
+ Heap* heap = isolate->heap();
+ v8::HandleScope scope(CcTest::isolate());
+ CompileRun(
+ "function loadIC(obj) {"
+ " return obj.name;"
+ "}"
+ "function testIC() {"
+ " var proto = {'name' : 'weak'};"
+ " var obj = Object.create(proto);"
+ " loadIC(obj);"
+ " loadIC(obj);"
+ " loadIC(obj);"
+ " return proto;"
+ "};");
+ Handle<JSFunction> loadIC = GetFunctionByName(isolate, "loadIC");
+ {
+ v8::HandleScope scope(CcTest::isolate());
+ CompileRun("(testIC())");
+ }
+ heap->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask);
+ CheckIC(loadIC->code(), Code::LOAD_IC, MONOMORPHIC);
+ {
+ v8::HandleScope scope(CcTest::isolate());
+ CompileRun("(testIC())");
+ }
+ CheckIC(loadIC->code(), Code::LOAD_IC, MONOMORPHIC);
+}
+
+
+TEST(PolymorphicStaysPolymorphicAfterGC) {
+ if (FLAG_always_opt) return;
+ // TODO(mvstanton): vector ics need weak support!
+ if (FLAG_vector_ics) return;
+ CcTest::InitializeVM();
+ Isolate* isolate = CcTest::i_isolate();
+ Heap* heap = isolate->heap();
+ v8::HandleScope scope(CcTest::isolate());
+ CompileRun(
+ "function loadIC(obj) {"
+ " return obj.name;"
+ "}"
+ "function testIC() {"
+ " var proto = {'name' : 'weak'};"
+ " var obj = Object.create(proto);"
+ " loadIC(obj);"
+ " loadIC(obj);"
+ " loadIC(obj);"
+ " var poly = Object.create(proto);"
+ " poly.x = true;"
+ " loadIC(poly);"
+ " return proto;"
+ "};");
+ Handle<JSFunction> loadIC = GetFunctionByName(isolate, "loadIC");
+ {
+ v8::HandleScope scope(CcTest::isolate());
+ CompileRun("(testIC())");
+ }
+ heap->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask);
+ CheckIC(loadIC->code(), Code::LOAD_IC, POLYMORPHIC);
+ {
+ v8::HandleScope scope(CcTest::isolate());
+ CompileRun("(testIC())");
+ }
+ CheckIC(loadIC->code(), Code::LOAD_IC, POLYMORPHIC);
+}
+
+
TEST(WeakCell) {
CcTest::InitializeVM();
Isolate* isolate = CcTest::i_isolate();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
