Revision: 6834
Author: [email protected]
Date: Thu Feb 17 05:41:56 2011
Log: Merge revisions 6831 and 6833 to the 3.0 branch.
These revisions fix a pair of crashes during deoptimization.
Review URL: http://codereview.chromium.org/6519048
http://code.google.com/p/v8/source/detail?r=6834
Added:
/branches/3.0/test/mjsunit/regress/regress-1166.js
/branches/3.0/test/mjsunit/regress/regress-1167.js
Modified:
/branches/3.0/src/hydrogen.cc
/branches/3.0/src/hydrogen.h
/branches/3.0/src/version.cc
=======================================
--- /dev/null
+++ /branches/3.0/test/mjsunit/regress/regress-1166.js Thu Feb 17 05:41:56
2011
@@ -0,0 +1,35 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Deoptimization after a short-circuit logical operation in an effect
+// context should not see the value of the expression.
+function observe(x, y) { return x; }
+
+function test(x) { return observe(1, ((false || false), x + 1)); }
+
+for (var i = 0; i < 10000000; ++i) test(0);
+test("a");
=======================================
--- /dev/null
+++ /branches/3.0/test/mjsunit/regress/regress-1167.js Thu Feb 17 05:41:56
2011
@@ -0,0 +1,43 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Deoptimization after a logical not in an effect context should not see a
+// value for the logical not expression.
+function test(n) {
+ var a = new Array(n);
+ for (var i = 0; i < n; ++i) {
+ // ~ of a non-numeric value is used to trigger deoptimization.
+ a[i] = void(!(delete 'object')) % ~(delete 4);
+ }
+}
+
+// OSR (after deoptimization) is used to observe the stack height mismatch.
+for (var i = 0; i < 5; ++i) {
+ for (var j = 1; j < 12; ++j) {
+ test(j * 1000);
+ }
+}
=======================================
--- /branches/3.0/src/hydrogen.cc Fri Feb 11 05:22:38 2011
+++ /branches/3.0/src/hydrogen.cc Thu Feb 17 05:41:56 2011
@@ -501,23 +501,6 @@
HConstant* HGraph::GetConstantFalse() {
return GetConstant(&constant_false_, Heap::false_value());
}
-
-
-void HSubgraph::AppendOptional(HSubgraph* graph,
- bool on_true_branch,
- HValue* value) {
- ASSERT(HasExit() && graph->HasExit());
- HBasicBlock* other_block = graph_->CreateBasicBlock();
- HBasicBlock* join_block = graph_->CreateBasicBlock();
-
- HTest* test = on_true_branch
- ? new HTest(value, graph->entry_block(), other_block)
- : new HTest(value, other_block, graph->entry_block());
- exit_block_->Finish(test);
- other_block->Goto(join_block);
- graph->exit_block()->Goto(join_block);
- exit_block_ = join_block;
-}
void HSubgraph::AppendJoin(HSubgraph* then_graph,
@@ -4594,7 +4577,7 @@
VisitForControl(expr->expression(),
context->if_false(),
context->if_true());
- } else {
+ } else if (ast_context()->IsValue()) {
HSubgraph* true_graph = CreateEmptySubgraph();
HSubgraph* false_graph = CreateEmptySubgraph();
VISIT_FOR_CONTROL(expr->expression(),
@@ -4608,7 +4591,11 @@
current_subgraph_->AppendJoin(true_graph, false_graph, expr);
ast_context()->ReturnValue(Pop());
- }
+ } else {
+ ASSERT(ast_context()->IsEffect());
+ VISIT_FOR_EFFECT(expr->expression());
+ }
+
} else if (op == Token::BIT_NOT || op == Token::SUB) {
VISIT_FOR_VALUE(expr->expression());
HValue* value = Pop();
@@ -4897,7 +4884,7 @@
subgraph()->set_exit_block(eval_right);
Visit(expr->right());
- } else {
+ } else if (ast_context()->IsValue()) {
VISIT_FOR_VALUE(expr->left());
ASSERT(current_subgraph_->HasExit());
@@ -4907,9 +4894,50 @@
HSubgraph* right_subgraph;
right_subgraph = CreateBranchSubgraph(environment_copy);
ADD_TO_SUBGRAPH(right_subgraph, expr->right());
- current_subgraph_->AppendOptional(right_subgraph, is_logical_and,
left);
- current_subgraph_->exit_block()->SetJoinId(expr->id());
+
+ ASSERT(subgraph()->HasExit() && right_subgraph->HasExit());
+ // We need an extra block to maintain edge-split form.
+ HBasicBlock* empty_block = graph()->CreateBasicBlock();
+ HBasicBlock* join_block = graph()->CreateBasicBlock();
+
+ HTest* test = is_logical_and
+ ? new HTest(left, right_subgraph->entry_block(), empty_block)
+ : new HTest(left, empty_block, right_subgraph->entry_block());
+ subgraph()->exit_block()->Finish(test);
+ empty_block->Goto(join_block);
+ right_subgraph->exit_block()->Goto(join_block);
+ join_block->SetJoinId(expr->id());
+ subgraph()->set_exit_block(join_block);
ast_context()->ReturnValue(Pop());
+ } else {
+ ASSERT(ast_context()->IsEffect());
+ // In an effect context, we don't need the value of the left
+ // subexpression, only its control flow and side effects. We need an
+ // extra block to maintain edge-split form.
+ HBasicBlock* empty_block = graph()->CreateBasicBlock();
+ HBasicBlock* right_block = graph()->CreateBasicBlock();
+ HBasicBlock* join_block = graph()->CreateBasicBlock();
+ if (is_logical_and) {
+ VISIT_FOR_CONTROL(expr->left(), right_block, empty_block);
+ } else {
+ VISIT_FOR_CONTROL(expr->left(), empty_block, right_block);
+ }
+ // TODO(kmillikin): Find a way to fix this. It's ugly that there are
+ // actually two empty blocks (one here and one inserted by
+ // TestContext::BuildBranch, and that they both have an HSimulate
+ // though the second one is not a merge node, and that we really have
+ // no good AST ID to put on that first HSimulate.
+ empty_block->SetJoinId(expr->id());
+ right_block->SetJoinId(expr->RightId());
+ subgraph()->set_exit_block(right_block);
+ VISIT_FOR_EFFECT(expr->right());
+
+ empty_block->Goto(join_block);
+ subgraph()->exit_block()->Goto(join_block);
+ join_block->SetJoinId(expr->id());
+ subgraph()->set_exit_block(join_block);
+ // We did not materialize any value in the predecessor environments,
+ // so there is no need to handle it here.
}
} else {
=======================================
--- /branches/3.0/src/hydrogen.h Mon Jan 31 05:20:57 2011
+++ /branches/3.0/src/hydrogen.h Thu Feb 17 05:41:56 2011
@@ -214,9 +214,6 @@
void PreProcessOsrEntry(IterationStatement* statement);
- void AppendOptional(HSubgraph* graph,
- bool on_true_branch,
- HValue* boolean_value);
void AppendJoin(HSubgraph* then_graph, HSubgraph* else_graph, AstNode*
node);
void AppendWhile(HSubgraph* condition,
HSubgraph* body,
=======================================
--- /branches/3.0/src/version.cc Wed Feb 16 05:09:41 2011
+++ /branches/3.0/src/version.cc Thu Feb 17 05:41:56 2011
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 0
#define BUILD_NUMBER 12
-#define PATCH_LEVEL 20
+#define PATCH_LEVEL 21
#define CANDIDATE_VERSION false
// Define SONAME to have the SCons build the put a specific SONAME into the
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
