Hi all. I'm trying to tinker with V8 to allow some unsafe semantics for
research purposes (Currently with Crankshaft disabled).
I have the following builtin that I hacked into V8:
void FullCodeGenerator::EmitUnsafeSetInline(CallRuntime* expr) {
Comment cmnt(masm_, "[ UnsafeSetInline");
ZoneList<Expression*>* args = expr->arguments();
DCHECK(args->length() == 3);
// Inspect first argument; place into result register
VisitForAccumulatorValue(args->at(0));
// Statically inspect second argument. Use in code generation.
Literal* lit = (Literal*)(args->at(1));
// May segfault if not really Literal!
Handle<Object> val = lit->value();
DCHECK(val->IsSmi());
int ival;
DCHECK(val->ToInt32(&ival));
__ movp(rcx, rax);
VisitForAccumulatorValue(args->at(2));
__ movp(FieldOperand(rcx, ival*kPointerSize + JSObject::kHeaderSize),
rax);
}
So a usage of eg %_UnsafeSetInline(obj, i, val) will set the i'th element
to val, assuming (with no guard!) that the element is present inline in the
object.
However, in a case like this:
var a = {key: "val"};
%_UnsafeSetInline(a, 0, 1)
print(a.key)
After the print statement, a debug assertion is thrown stating that the
representation has changed.
I'm not particularly familiar with V8 internals, could someone point me to
what might inform V8 of the type change?
Thanks,
-Adam
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
