[v8-dev] Version 4.4.63.26 (issue 1268883002 by [email protected])

Fri, 31 Jul 2015 02:33:08 -0700 

Reviewers: Benedikt Meurer,

Description:
Version 4.4.63.26

[crankshaft] Fix wrong bailout points in for-in loop body.
This is a manual port of https://codereview.chromium.org/1183683004, which fixed 
the same issue on the 4.5 branch.

BUG=chromium:514268
LOG=n
[email protected]

Please review this at https://codereview.chromium.org/1268883002/

Base URL: https://chromium.googlesource.com/v8/[email protected]

Affected files (+28, -2 lines):
  M include/v8-version.h
  M src/hydrogen.cc
  A test/mjsunit/regress/regress-crbug-514268.js


Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index dac654ab88b0a0761cec3ed75df9e972b874c7e8..c52267e024ca30e7461cfd684cad7766c64d69ef 100644 
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 63
-#define V8_PATCH_LEVEL 25
+#define V8_PATCH_LEVEL 26

 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index a1b06482078471d937ca46e7efb70323e06bc325..6a86c736ee5e63208e697fc5e114ecf4d24844b0 100644 
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -5219,9 +5219,12 @@ void HOptimizedGraphBuilder::BuildForInBody(ForInStatement* stmt, 
     HValue* function = AddLoadJSBuiltin(Builtins::FILTER_KEY);
     Add<HPushArguments>(enumerable, key);
     key = Add<HInvokeFunction>(function, 2);
+    Push(key);
+    Add<HSimulate>(stmt->FilterId());
+    key = Pop();
     Bind(each_var, key);
-    Add<HSimulate>(stmt->AssignmentId());
     Add<HCheckHeapObject>(key);
+    Add<HSimulate>(stmt->AssignmentId());
   }

   BreakAndContinueInfo break_info(stmt, scope(), 5);
Index: test/mjsunit/regress/regress-crbug-514268.js
diff --git a/test/mjsunit/regress/regress-crbug-514268.js b/test/mjsunit/regress/regress-crbug-514268.js 
new file mode 100644
index 0000000000000000000000000000000000000000..75d9970eed7d3af02432f82d592e3a55a32d2669 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-514268.js
@@ -0,0 +1,23 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function bar(a) {
+  a.pop();
+}
+function foo(a) {
+  assertEquals(2, a.length);
+  var d;
+  for (d in a) {
+    bar(a);
+  }
+  // If this fails, bar was not called exactly once.
+  assertEquals(1, a.length);
+}
+
+foo([1,2]);
+foo([2,3]);
+%OptimizeFunctionOnNextCall(foo);
+foo([1,2]);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to