[v8-dev] Version 4.4.63.3 (cherry-pick) (issue 1145343004 by [email protected])

Thu, 28 May 2015 05:14:20 -0700 

Reviewers: jarin,

Description:
Version 4.4.63.3 (cherry-pick)

Merged de3a1ca02eb0f3c89ddaefbac98e0c4fce3e606c

Bug: Runtime_GrowArrayElements provoked unnecessary lazy deopt.

BUG=488398
LOG=N
[email protected]

Please review this at https://codereview.chromium.org/1145343004/

Base URL: https://chromium.googlesource.com/v8/[email protected]

Affected files (+21, -2 lines):
  M include/v8-version.h
  M src/runtime/runtime-array.cc
  A test/mjsunit/regress/regress-488398.js


Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index 201d24ba8e0773d3840acb04c71d684c0ef0a72c..c620285f987e05fc41618efdb5821ad6604f61d9 100644 
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 63
-#define V8_PATCH_LEVEL 2
+#define V8_PATCH_LEVEL 3

 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
Index: src/runtime/runtime-array.cc
diff --git a/src/runtime/runtime-array.cc b/src/runtime/runtime-array.cc
index 34f873512506f9fca64dde84fdc21c3ce318aaad..4147dc953eb819ba8195477f8d3a6b5810971ec7 100644 
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -1234,7 +1234,8 @@ RUNTIME_FUNCTION(Runtime_GrowArrayElements) {

   if (index >= capacity) {
     if (object->WouldConvertToSlowElements(index)) {
-      JSObject::NormalizeElements(object);
+ // We don't want to allow operations that cause lazy deopt. Return a Smi 
+      // as a signal that optimized code should eagerly deoptimize.
       return Smi::FromInt(0);
     }

Index: test/mjsunit/regress/regress-488398.js
diff --git a/test/mjsunit/regress/regress-488398.js b/test/mjsunit/regress/regress-488398.js 
new file mode 100644
index 0000000000000000000000000000000000000000..77ea293a263540042e8c203a09ff3193022efe59 
--- /dev/null
+++ b/test/mjsunit/regress/regress-488398.js
@@ -0,0 +1,18 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var __v_10 = 4294967295;
+__v_0 = [];
+__v_0.__proto__ = [];
+__v_16 = __v_0;
+function __f_17(__v_16, base) {
+  __v_16[base + 1] = 1;
+  __v_16[base + 4] = base + 4;
+}
+__f_17(__v_16, true);
+__f_17(__v_16, 14);
+%OptimizeFunctionOnNextCall(__f_17);
+__f_17(__v_16, 2048);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to