[v8-dev] Bug: Runtime_GrowArrayElements provoked unnecessary lazy deopt. (issue 1141163004 by [email protected])

Fri, 15 May 2015 05:36:31 -0700 

Reviewers: jarin,

Message:
Hi Jaroslav, thanks for the help with this one!
--Michael

Description:
Bug: Runtime_GrowArrayElements provoked unnecessary lazy deopt.

Unnecessary, and unhandled as well.

BUG=488398
[email protected]
LOG=N


Please review this at https://codereview.chromium.org/1141163004/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+20, -1 lines):
  M src/runtime/runtime-array.cc
  A test/mjsunit/regress/regress-488398.js


Index: src/runtime/runtime-array.cc
diff --git a/src/runtime/runtime-array.cc b/src/runtime/runtime-array.cc
index d40557474d361071e191b71c5912676ae18fa7fa..e22ea61de92fd5fd743f425eaa027972ed4ec390 100644 
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -1254,7 +1254,8 @@ RUNTIME_FUNCTION(Runtime_GrowArrayElements) {

   if (index >= capacity) {
     if (object->WouldConvertToSlowElements(index)) {
-      JSObject::NormalizeElements(object);
+ // We don't want to allow operations that cause lazy deopt. Return a Smi 
+      // as a signal that optimized code should eagerly deoptimize.
       return Smi::FromInt(0);
     }

Index: test/mjsunit/regress/regress-488398.js
diff --git a/test/mjsunit/regress/regress-488398.js b/test/mjsunit/regress/regress-488398.js 
new file mode 100644
index 0000000000000000000000000000000000000000..77ea293a263540042e8c203a09ff3193022efe59 
--- /dev/null
+++ b/test/mjsunit/regress/regress-488398.js
@@ -0,0 +1,18 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var __v_10 = 4294967295;
+__v_0 = [];
+__v_0.__proto__ = [];
+__v_16 = __v_0;
+function __f_17(__v_16, base) {
+  __v_16[base + 1] = 1;
+  __v_16[base + 4] = base + 4;
+}
+__f_17(__v_16, true);
+__f_17(__v_16, 14);
+%OptimizeFunctionOnNextCall(__f_17);
+__f_17(__v_16, 2048);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to