[v8-dev] Do not inline array resize operations for outdated prototype maps. (issue 1313303002 by ishell@chromium.org)

[ishell]

Reviewers: mvstanton,

Message:
PTAL
Description:
Do not inline array resize operations for outdated prototype maps.

BUG=chromium:523213
LOG=N

Please review this at https://codereview.chromium.org/1313303002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+16, -11 lines):
  M src/hydrogen.cc
  M src/objects.cc
  A + test/mjsunit/regress/regress-crbug-523213.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
8c59ce86c9fe11f4c8ed1cfb76a8ed69cfcd3f2f..3e4a169b56be5a20dac293cdb0ac9ced5fb40599  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8601,9 +8601,10 @@ bool  
HOptimizedGraphBuilder::CanInlineArrayResizeOperation(
   return !receiver_map.is_null() &&
          receiver_map->instance_type() == JS_ARRAY_TYPE &&
          IsFastElementsKind(receiver_map->elements_kind()) &&
-         !receiver_map->is_dictionary_map() &&
-         !IsReadOnlyLengthDescriptor(receiver_map) &&
-         !receiver_map->is_observed() && receiver_map->is_extensible();
+         !receiver_map->is_dictionary_map()  
&& !receiver_map->is_observed() &&
+         receiver_map->is_extensible() &&
+         (!receiver_map->is_prototype_map() || receiver_map->is_stable())  
&&
+         !IsReadOnlyLengthDescriptor(receiver_map);
 }


Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index  
552d4f5516e3feaeb6f2ff9b6e838e5e8c465c34..f0d939411ce03f8d29b789579492afb97f9ab39e  
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1776,6 +1776,8 @@ void JSObject::MigrateToMap(Handle<JSObject> object,  
Handle<Map> new_map,
     if (!new_map->is_dictionary_map()) {
       MigrateFastToFast(object, new_map);
       if (old_map->is_prototype_map()) {
+        DCHECK(!old_map->is_stable());
+        DCHECK(new_map->is_stable());
         // Clear out the old descriptor array to avoid problems to sharing
         // the descriptor array without using an explicit.
         old_map->InitializeDescriptors(
Index: test/mjsunit/regress/regress-crbug-523213.js
diff --git a/test/mjsunit/regress/regress-449291.js  
b/test/mjsunit/regress/regress-crbug-523213.js
similarity index 65%
copy from test/mjsunit/regress/regress-449291.js
copy to test/mjsunit/regress/regress-crbug-523213.js
index  
fb56027b67f3f176f1432c11b39075aec6cc8429..15b16bb4f9e6488f08d292c6e3feb0ace994791d  
100644
--- a/test/mjsunit/regress/regress-449291.js
+++ b/test/mjsunit/regress/regress-crbug-523213.js
@@ -4,16 +4,18 @@

 // Flags: --allow-natives-syntax

-a = {y:1.5};
-a.y = 1093445778;
-b = a.y;
-c = {y:{}};
+var v1 = [];
+var v2 = [];
+v1.__proto__ = v2;

-function f() {
-  return {y: b};
+function f(){
+  var a = [];
+  for(var i=0; i<2; i++){
+    a.push([]);
+    a = v2;
+  }
 }

 f();
-f();
 %OptimizeFunctionOnNextCall(f);
-assertEquals(f().y, 1093445778);
+f();


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.