[v8-dev] [v8] r11792 committed - Fix r11780 to avoid bugs where near branches are used to labels that a...

[codesite-noreply]

Revision: 11792
Author:   erikcorry
Date:     Wed Jun 13 02:54:34 2012
Log:      Fix r11780 to avoid bugs where near branches are used to labels  
that are out of range.
Review URL: http://codereview.chromium.org/10542137
http://code.google.com/p/v8/source/detail?r=11792
Added:
 /branches/bleeding_edge/test/mjsunit/regress/regress-deep-proto.js
Modified:
 /branches/bleeding_edge/src/ia32/lithium-codegen-ia32.cc
 /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc

=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-deep-proto.js	Wed  
Jun 13 02:54:34 2012
@@ -0,0 +1,45 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+function poly(x) {
+  return x.foo;
+}
+
+var one = {foo: 0};
+var two = {foo: 0, bar: 1};
+var three = {bar: 0};
+three.__proto__ = {};
+three.__proto__.__proto__ = {};
+three.__proto__.__proto__.__proto__ = {};
+three.__proto__.__proto__.__proto__.__proto__ = {};
+three.__proto__.__proto__.__proto__.__proto__.__proto__ = {};
+
+for (var i = 0; i < 1e6; i++) {
+  poly(one);
+  poly(two);
+  poly(three);
+}
=======================================
--- /branches/bleeding_edge/src/ia32/lithium-codegen-ia32.cc	Tue Jun 12  
08:44:12 2012
+++ /branches/bleeding_edge/src/ia32/lithium-codegen-ia32.cc	Wed Jun 13  
02:54:34 2012
@@ -2355,6 +2355,18 @@
     __ push(ToOperand(operand));
   }
 }
+
+
+// Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
+// prototype chain, which causes unbounded code generation.
+static bool CompactEmit(
+    SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
+  LookupResult lookup(isolate);
+  Handle<Map> map = list->at(i);
+  map->LookupInDescriptors(NULL, *name, &lookup);
+  return lookup.IsFound() &&
+      (lookup.type() == FIELD || lookup.type() == CONSTANT_FUNCTION);
+}


 void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic*  
instr) {
@@ -2370,16 +2382,10 @@
   }
   Handle<String> name = instr->hydrogen()->name();
   Label done;
-  bool compact_code = true;
+  bool all_are_compact = true;
   for (int i = 0; i < map_count; ++i) {
-    LookupResult lookup(isolate());
-    Handle<Map> map = instr->hydrogen()->types()->at(i);
-    map->LookupInDescriptors(NULL, *name, &lookup);
-    if (!lookup.IsFound() ||
-        (lookup.type() != FIELD && lookup.type() != CONSTANT_FUNCTION)) {
-      // The two cases above cause a bounded amount of code to be  
emitted.  This
-      // is not necessarily the case for other lookup results.
-      compact_code = false;
+    if (!CompactEmit(instr->hydrogen()->types(), name, i, isolate())) {
+      all_are_compact = false;
       break;
     }
   }
@@ -2395,11 +2401,13 @@
           result, object, map, name, instr->environment());
     } else {
       Label next;
-      __ j(not_equal, &next, Label::kNear);
+      bool compact = all_are_compact ? true :
+          CompactEmit(instr->hydrogen()->types(), name, i, isolate());
+      __ j(not_equal, &next, compact ? Label::kNear : Label::kFar);
       __ bind(&check_passed);
       EmitLoadFieldOrConstantFunction(
           result, object, map, name, instr->environment());
-      __ jmp(&done, compact_code ? Label::kNear : Label::kFar);
+      __ jmp(&done, all_are_compact ? Label::kNear : Label::kFar);
       __ bind(&next);
     }
   }
=======================================
--- /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc	Tue Jun 12  
08:44:12 2012
+++ /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc	Wed Jun 13  
02:54:34 2012
@@ -2231,6 +2231,18 @@
     __ LoadRoot(result, Heap::kUndefinedValueRootIndex);
   }
 }
+
+
+// Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
+// prototype chain, which causes unbounded code generation.
+static bool CompactEmit(
+    SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
+  LookupResult lookup(isolate);
+  Handle<Map> map = list->at(i);
+  map->LookupInDescriptors(NULL, *name, &lookup);
+  return lookup.IsFound() &&
+      (lookup.type() == FIELD || lookup.type() == CONSTANT_FUNCTION);
+}


 void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic*  
instr) {
@@ -2246,16 +2258,10 @@
   }
   Handle<String> name = instr->hydrogen()->name();
   Label done;
-  bool compact_code = true;
+  bool all_are_compact = true;
   for (int i = 0; i < map_count; ++i) {
-    LookupResult lookup(isolate());
-    Handle<Map> map = instr->hydrogen()->types()->at(i);
-    map->LookupInDescriptors(NULL, *name, &lookup);
-    if (!lookup.IsFound() ||
-        (lookup.type() != FIELD && lookup.type() != CONSTANT_FUNCTION)) {
-      // The two cases above cause a bounded amount of code to be  
emitted.  This
-      // is not necessarily the case for other lookup results.
-      compact_code = false;
+    if (!CompactEmit(instr->hydrogen()->types(), name, i, isolate())) {
+      all_are_compact = false;
       break;
     }
   }
@@ -2271,11 +2277,13 @@
           result, object, map, name, instr->environment());
     } else {
       Label next;
-      __ j(not_equal, &next, Label::kNear);
+      bool compact = all_are_compact ? true :
+          CompactEmit(instr->hydrogen()->types(), name, i, isolate());
+      __ j(not_equal, &next, compact ? Label::kNear : Label::kFar);
       __ bind(&check_passed);
       EmitLoadFieldOrConstantFunction(
           result, object, map, name, instr->environment());
-      __ jmp(&done, compact_code ? Label::kNear: Label::kFar);
+      __ jmp(&done, all_are_compact ? Label::kNear : Label::kFar);
       __ bind(&next);
     }
   }

--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev