Reviewers: Kevin Millikin,
Description:
Fix bug in inlining call-as-function when inlining multiple levels deep.
This change fixes a off-by-one level error when dropping the
function from the environment. The function of the outermost
environment was not dropped.
BUG=v8:1785
TEST=test/mjsunit/compiler/regress-inline-callfunctionstub.js
Please review this at http://codereview.chromium.org/8341019/
SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/
Affected files:
M src/hydrogen.h
M src/hydrogen.cc
A test/mjsunit/compiler/regress-inline-callfunctionstub.js
Index: src/hydrogen.cc
===================================================================
--- src/hydrogen.cc (revision 9758)
+++ src/hydrogen.cc (working copy)
@@ -4710,7 +4710,10 @@
Handle<Code>(target_shared->code()),
Handle<Context>(target->context()->global_context()),
isolate());
- FunctionState target_state(this, &target_info, &target_oracle,
drop_extra);
+ // The function state is new-allocated because we need to delete it
+ // in two different places.
+ FunctionState* target_state =
+ new FunctionState(this, &target_info, &target_oracle, drop_extra);
HConstant* undefined = graph()->GetConstantUndefined();
HEnvironment* inner_env =
@@ -4744,6 +4747,7 @@
TraceInline(target, caller, "inline graph construction failed");
target_shared->DisableOptimization(*target);
inline_bailout_ = true;
+ delete target_state;
return true;
}
@@ -4790,19 +4794,21 @@
// Pop the return test context from the expression context stack.
ASSERT(ast_context() == inlined_test_context());
ClearInlinedTestContext();
+ delete target_state;
// Forward to the real test context.
if (if_true->HasPredecessor()) {
if_true->SetJoinId(expr->id());
HBasicBlock* true_target =
TestContext::cast(ast_context())->if_true();
- if_true->Goto(true_target, drop_extra);
+ if_true->Goto(true_target, function_state()->drop_extra());
}
if (if_false->HasPredecessor()) {
if_false->SetJoinId(expr->id());
HBasicBlock* false_target =
TestContext::cast(ast_context())->if_false();
- if_false->Goto(false_target, drop_extra);
+ if_false->Goto(false_target, function_state()->drop_extra());
}
set_current_block(NULL);
+ return true;
} else if (function_return()->HasPredecessor()) {
function_return()->SetJoinId(expr->id());
@@ -4810,7 +4816,7 @@
} else {
set_current_block(NULL);
}
-
+ delete target_state;
return true;
}
Index: src/hydrogen.h
===================================================================
--- src/hydrogen.h (revision 9758)
+++ src/hydrogen.h (working copy)
@@ -605,7 +605,7 @@
};
-class FunctionState BASE_EMBEDDED {
+class FunctionState {
public:
FunctionState(HGraphBuilder* owner,
CompilationInfo* info,
Index: test/mjsunit/compiler/regress-inline-callfunctionstub.js
===================================================================
--- test/mjsunit/compiler/regress-inline-callfunctionstub.js (revision 0)
+++ test/mjsunit/compiler/regress-inline-callfunctionstub.js (revision 0)
@@ -0,0 +1,46 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+// Test inlined of calls-as-function two levels deep.
+function f() { return 42; }
+
+var o = {g : function () { return f(); } }
+function main(func) {
+ var v=0;
+ for (var i=0; i<1; i++) {
+ if (func()) v = 42;
+ }
+}
+
+main(o.g);
+main(o.g);
+main(o.g);
+%OptimizeFunctionOnNextCall(main);
+main(o.g);
+
Property changes on:
test/mjsunit/compiler/regress-inline-callfunctionstub.js
___________________________________________________________________
Added: svn:eol-style
+ LF
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
