[v8-dev] During arguments materialization, do not store materialized objects without lazy deopt. (issue 919173003 by jarin@chromium.org)

[jarin]

Reviewers: Michael Starzinger,

Message:
Could you take a look, please?
Description:
During arguments materialization, do not store materialized objects without  
lazy
deopt.

BUG=
R=mstarzin...@chromium.org

Please review this at https://codereview.chromium.org/919173003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+24, -13 lines):
  M src/deoptimizer.h
  M src/deoptimizer.cc
  A + test/mjsunit/regress/regress-arg-materialize-store.js


Index: src/deoptimizer.cc
diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index  
7c79c89078b98a74e8d65bfb766e2670a8850ba4..df8e5cffa8f8f052c94e8fe942069a963975bd4c  
100644
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -3190,7 +3190,10 @@ SlotRef  
SlotRefValueBuilder::ComputeSlotForNextArgument(
 SlotRefValueBuilder::SlotRefValueBuilder(JavaScriptFrame* frame,
                                          int inlined_jsframe_index,
                                          int formal_parameter_count)
-    : current_slot_(0), args_length_(-1), first_slot_index_(-1) {
+    : current_slot_(0),
+      args_length_(-1),
+      first_slot_index_(-1),
+      should_deoptimize_(false) {
   DisallowHeapAllocation no_gc;

   int deopt_index = Safepoint::kNoDeoptimizationIndex;
@@ -3208,7 +3211,6 @@  
SlotRefValueBuilder::SlotRefValueBuilder(JavaScriptFrame* frame,
   CHECK_GT(jsframe_count, inlined_jsframe_index);
   int jsframes_to_skip = inlined_jsframe_index;
   int number_of_slots = -1;  // Number of slots inside our frame (yet  
unknown)
-  bool should_deopt = false;
   while (number_of_slots != 0) {
     opcode = static_cast<Translation::Opcode>(it.Next());
     bool processed = false;
@@ -3265,7 +3267,7 @@  
SlotRefValueBuilder::SlotRefValueBuilder(JavaScriptFrame* frame,
         number_of_slots += slot.GetChildrenCount();
         if (slot.Representation() == SlotRef::DEFERRED_OBJECT ||
             slot.Representation() == SlotRef::DUPLICATE_OBJECT) {
-          should_deopt = true;
+          should_deoptimize_ = true;
         }
       }

@@ -3276,7 +3278,7 @@  
SlotRefValueBuilder::SlotRefValueBuilder(JavaScriptFrame* frame,
       it.Skip(Translation::NumberOfOperandsFor(opcode));
     }
   }
-  if (should_deopt) {
+  if (should_deoptimize_) {
     List<JSFunction*> functions(2);
     frame->GetFunctions(&functions);
     Deoptimizer::DeoptimizeFunction(functions[0]);
@@ -3492,9 +3494,11 @@ void SlotRefValueBuilder::Finish(Isolate* isolate) {
   // We should have processed all the slots
   CHECK_EQ(slot_refs_.length(), current_slot_);

-  if (materialized_objects_.length() > prev_materialized_count_) {
-    // We have materialized some new objects, so we have to store them
-    // to prevent duplicate materialization
+  if (should_deoptimize_ &&
+      materialized_objects_.length() > prev_materialized_count_) {
+    // We have materialized some new objects and they might be accessible
+    // from the arguments object, so we have to store them
+    // to prevent duplicate materialization.
     Handle<FixedArray> array = isolate->factory()->NewFixedArray(
         materialized_objects_.length());
     for (int i = 0; i < materialized_objects_.length(); i++) {
Index: src/deoptimizer.h
diff --git a/src/deoptimizer.h b/src/deoptimizer.h
index  
91b6fca298f398c4de8f12300ef04857b90a6fa1..471a05d9b0a0f8cdbd9647c01697133c137ba7a9  
100644
--- a/src/deoptimizer.h
+++ b/src/deoptimizer.h
@@ -939,6 +939,7 @@ class SlotRefValueBuilder BASE_EMBEDDED {
   int current_slot_;
   int args_length_;
   int first_slot_index_;
+  bool should_deoptimize_;

   static SlotRef ComputeSlotForNextArgument(
       Translation::Opcode opcode,
Index: test/mjsunit/regress/regress-arg-materialize-store.js
diff --git a/test/mjsunit/compiler/regress-ntl-effect.js  
b/test/mjsunit/regress/regress-arg-materialize-store.js
similarity index 55%
copy from test/mjsunit/compiler/regress-ntl-effect.js
copy to test/mjsunit/regress/regress-arg-materialize-store.js
index  
708fe32828c9197dfa3d8c371ab01cbc1ad3317a..2a30dc87a33da0aced9afd339fe56efce57933d0  
100644
--- a/test/mjsunit/compiler/regress-ntl-effect.js
+++ b/test/mjsunit/regress/regress-arg-materialize-store.js
@@ -4,13 +4,19 @@

 // Flags: --allow-natives-syntax

-function g() {
-  throw 0;
+function f() {
+  return f.arguments;
 }

-function f() {
-  g();
-  while (1) {}
+function g(deopt) {
+  var o = { x : 2 };
+  f();
+  o.x = 1;
+  deopt + 0;
+  return o.x;
 }

-assertThrows(function () { f(); });
+g(0);
+g(0);
+%OptimizeFunctionOnNextCall(g);
+assertEquals(1, g({}));


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.