[v8-dev] Convert to immutable heap number when materializing arguments object. (issue 935623002 by [email protected])

Tue, 17 Feb 2015 07:03:02 -0800 

Reviewers: Igor Sheludko,

Message:
Could you take a look, please?

Description:
Convert to immutable heap number when materializing arguments object.

BUG=chromium:457935
LOG=n
[email protected]

Please review this at https://codereview.chromium.org/935623002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+31, -1 lines):
  M src/deoptimizer.cc
  A test/mjsunit/regress/regress-457935.js


Index: src/deoptimizer.cc
diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index 7c79c89078b98a74e8d65bfb766e2670a8850ba4..befb0f3b85acf264b312e02ea902f5480903625f 100644 
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -3389,7 +3389,11 @@ Handle<Object> SlotRefValueBuilder::GetNext(Isolate* isolate, int lvl) { 
     case SlotRef::UINT32:
     case SlotRef::DOUBLE:
     case SlotRef::LITERAL: {
-      return slot.GetValue(isolate);
+      Handle<Object> value = slot.GetValue(isolate);
+      if (value->IsMutableHeapNumber()) {
+ HeapNumber::cast(*value)->set_map(isolate->heap()->heap_number_map()); 
+      }
+      return value;
     }
     case SlotRef::ARGUMENTS_OBJECT: {
       // We should never need to materialize an arguments object,
Index: test/mjsunit/regress/regress-457935.js
diff --git a/test/mjsunit/regress/regress-457935.js b/test/mjsunit/regress/regress-457935.js 
new file mode 100644
index 0000000000000000000000000000000000000000..db907b344125a16f76c3b45ceb971e7f2b6920e1 
--- /dev/null
+++ b/test/mjsunit/regress/regress-457935.js
@@ -0,0 +1,26 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertEquals(found) { };
+
+function __f_25() {
+  return __f_25.arguments;
+}
+
+function __f_30(limit) {
+  var __v_29 = 0;
+  var __v_30 = {};
+  for (; __v_29 < limit; __v_29++) {
+    __v_30.y = +__v_30.y;
+    __f_25();
+  }
+}
+
+ __f_30(1);
+ __f_30(1);
+%OptimizeFunctionOnNextCall(__f_30);
+assertEquals(__f_30(1));
+assertEquals(__f_30(2));


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to