Reviewers: Yang,
Description:
Merged r11286 into 3.9 branch.
Fix regular and ElementsKind transitions interfering with each other
BUG=122271
[email protected]
Please review this at https://chromiumcodereview.appspot.com/9969211/
SVN Base: https://v8.googlecode.com/svn/branches/3.9
Affected files:
M src/arm/stub-cache-arm.cc
M src/ia32/stub-cache-ia32.cc
M src/mips/stub-cache-mips.cc
M src/version.cc
M src/x64/stub-cache-x64.cc
A test/mjsunit/regress/regress-crbug-122271.js
Index: src/arm/stub-cache-arm.cc
diff --git a/src/arm/stub-cache-arm.cc b/src/arm/stub-cache-arm.cc
index
06f8385af96731dd3cedfa0a1e4d544c87cb0f7f..852824f8ec08980a1e90b4640b57e4b964a88648
100644
--- a/src/arm/stub-cache-arm.cc
+++ b/src/arm/stub-cache-arm.cc
@@ -443,8 +443,10 @@ void StubCompiler::GenerateStoreField(MacroAssembler*
masm,
Label exit;
// Check that the map of the object hasn't changed.
+ CompareMapMode mode = transition.is_null() ?
ALLOW_ELEMENT_TRANSITION_MAPS
+ : REQUIRE_EXACT_MAP;
__ CheckMap(receiver_reg, scratch, Handle<Map>(object->map()),
miss_label,
- DO_SMI_CHECK, ALLOW_ELEMENT_TRANSITION_MAPS);
+ DO_SMI_CHECK, mode);
// Perform global security token check if needed.
if (object->IsJSGlobalProxy()) {
Index: src/ia32/stub-cache-ia32.cc
diff --git a/src/ia32/stub-cache-ia32.cc b/src/ia32/stub-cache-ia32.cc
index
fd267798cf43b664c2591b71705c13cfe4613a3b..5a5afdc7474b50944d0d9183c5b2df0f9d41fff0
100644
--- a/src/ia32/stub-cache-ia32.cc
+++ b/src/ia32/stub-cache-ia32.cc
@@ -746,8 +746,10 @@ void StubCompiler::GenerateStoreField(MacroAssembler*
masm,
Register scratch,
Label* miss_label) {
// Check that the map of the object hasn't changed.
+ CompareMapMode mode = transition.is_null() ?
ALLOW_ELEMENT_TRANSITION_MAPS
+ : REQUIRE_EXACT_MAP;
__ CheckMap(receiver_reg, Handle<Map>(object->map()),
- miss_label, DO_SMI_CHECK, ALLOW_ELEMENT_TRANSITION_MAPS);
+ miss_label, DO_SMI_CHECK, mode);
// Perform global security token check if needed.
if (object->IsJSGlobalProxy()) {
Index: src/mips/stub-cache-mips.cc
diff --git a/src/mips/stub-cache-mips.cc b/src/mips/stub-cache-mips.cc
index
294bc0a0747cab372f832cafa4acdd523c5a69d4..f7b94b926144931393232bc96743a2637e169383
100644
--- a/src/mips/stub-cache-mips.cc
+++ b/src/mips/stub-cache-mips.cc
@@ -429,8 +429,10 @@ void StubCompiler::GenerateStoreField(MacroAssembler*
masm,
// a0 : value.
Label exit;
// Check that the map of the object hasn't changed.
+ CompareMapMode mode = transition.is_null() ?
ALLOW_ELEMENT_TRANSITION_MAPS
+ : REQUIRE_EXACT_MAP;
__ CheckMap(receiver_reg, scratch, Handle<Map>(object->map()),
miss_label,
- DO_SMI_CHECK, ALLOW_ELEMENT_TRANSITION_MAPS);
+ DO_SMI_CHECK, mode);
// Perform global security token check if needed.
if (object->IsJSGlobalProxy()) {
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
c4fc0d77364e1c3d9a5918d82a3ccdfbc8690353..70a9be85aed7ca0133d966c3673d734978620cfa
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 9
#define BUILD_NUMBER 24
-#define PATCH_LEVEL 13
+#define PATCH_LEVEL 14
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: src/x64/stub-cache-x64.cc
diff --git a/src/x64/stub-cache-x64.cc b/src/x64/stub-cache-x64.cc
index
f07f6b6b72fbbc5a0d5da7b66a42dd0b46f837ef..a275f550830c4b40464533a2bb7c994c6bf07725
100644
--- a/src/x64/stub-cache-x64.cc
+++ b/src/x64/stub-cache-x64.cc
@@ -730,8 +730,10 @@ void StubCompiler::GenerateStoreField(MacroAssembler*
masm,
Register scratch,
Label* miss_label) {
// Check that the map of the object hasn't changed.
+ CompareMapMode mode = transition.is_null() ?
ALLOW_ELEMENT_TRANSITION_MAPS
+ : REQUIRE_EXACT_MAP;
__ CheckMap(receiver_reg, Handle<Map>(object->map()),
- miss_label, DO_SMI_CHECK, ALLOW_ELEMENT_TRANSITION_MAPS);
+ miss_label, DO_SMI_CHECK, mode);
// Perform global security token check if needed.
if (object->IsJSGlobalProxy()) {
Index: test/mjsunit/regress/regress-crbug-122271.js
diff --git a/test/mjsunit/regress/regress-crbug-122271.js
b/test/mjsunit/regress/regress-crbug-122271.js
new file mode 100644
index
0000000000000000000000000000000000000000..3a99a7fa587c881164907fe3db190eb22265c0c2
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-122271.js
@@ -0,0 +1,49 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+// Tests that ElementsKind transitions and regular transitions don't
+// interfere badly with each other.
+
+var a = [0, 0, 0, 1];
+var b = [0, 0, 0, "one"];
+var c = [0, 0, 0, 1];
+c.foo = "baz";
+
+function foo(array) {
+ array.foo = "bar";
+}
+
+assertTrue(%HasFastSmiOnlyElements(a));
+assertTrue(%HasFastElements(b));
+
+foo(a);
+foo(b);
+
+assertTrue(%HasFastSmiOnlyElements(a));
+assertTrue(%HasFastElements(b));
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
