Reviewers: Toon Verwaest,
Message:
PTAL.
Description:
Make near-jump check more strict in LoadNamedFieldPolymorphic on ia32/x64
BUG=134055
TEST=mjsunit/regress/regress-crbug-134055
Please review this at https://chromiumcodereview.appspot.com/10630027/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/ia32/lithium-codegen-ia32.cc
M src/x64/lithium-codegen-x64.cc
A + test/mjsunit/regress/regress-crbug-134055.js
Index: src/ia32/lithium-codegen-ia32.cc
diff --git a/src/ia32/lithium-codegen-ia32.cc
b/src/ia32/lithium-codegen-ia32.cc
index
8dd58b4ee4ecc8f7b00c267274f183afe9997139..5225763a3868219684ec8f454d39c0ab17fc7785
100644
--- a/src/ia32/lithium-codegen-ia32.cc
+++ b/src/ia32/lithium-codegen-ia32.cc
@@ -2464,10 +2464,15 @@ void LCodeGen::EmitPushTaggedOperand(LOperand*
operand) {
// Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
// prototype chain, which causes unbounded code generation.
-static bool CompactEmit(
- SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
- LookupResult lookup(isolate);
+static bool CompactEmit(SmallMapList* list,
+ Handle<String> name,
+ int i,
+ Isolate* isolate) {
Handle<Map> map = list->at(i);
+ // If the map has ElementsKind transitions, we will generate map checks
+ // for each kind in __ CompareMap(..., ALLOW_ELEMENTS_TRANSITION_MAPS).
+ if (map->elements_transition_map() != NULL) return false;
+ LookupResult lookup(isolate);
map->LookupInDescriptors(NULL, *name, &lookup);
return lookup.IsField() || lookup.IsConstantFunction();
}
Index: src/x64/lithium-codegen-x64.cc
diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index
06d041281fa2ca2af7c51c6196d01ab50788d5e1..57db277577ef3d9ca3258731893664add185809b
100644
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -2321,10 +2321,15 @@ void
LCodeGen::EmitLoadFieldOrConstantFunction(Register result,
// Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
// prototype chain, which causes unbounded code generation.
-static bool CompactEmit(
- SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
- LookupResult lookup(isolate);
+static bool CompactEmit(SmallMapList* list,
+ Handle<String> name,
+ int i,
+ Isolate* isolate) {
Handle<Map> map = list->at(i);
+ // If the map has ElementsKind transitions, we will generate map checks
+ // for each kind in __ CompareMap(..., ALLOW_ELEMENTS_TRANSITION_MAPS).
+ if (map->elements_transition_map() != NULL) return false;
+ LookupResult lookup(isolate);
map->LookupInDescriptors(NULL, *name, &lookup);
return lookup.IsField() || lookup.IsConstantFunction();
}
Index: test/mjsunit/regress/regress-crbug-134055.js
diff --git a/test/mjsunit/compiler/optimized-closures.js
b/test/mjsunit/regress/regress-crbug-134055.js
similarity index 72%
copy from test/mjsunit/compiler/optimized-closures.js
copy to test/mjsunit/regress/regress-crbug-134055.js
index
eaf75f8d00ccd9123ed0f5232a91137845fc3973..9b658fb6f650f04520001f61f8e34d0202c5fb7d
100644
--- a/test/mjsunit/compiler/optimized-closures.js
+++ b/test/mjsunit/regress/regress-crbug-134055.js
@@ -27,31 +27,37 @@
// Flags: --allow-natives-syntax
-// Test optimized closures.
-
-var a = new Array(100);
+function crash(obj) {
+ return obj.foo;
+}
-function f() {
- var x=0;
- for (var i=0; i<100; i++) {
- var g = function goo(y) {
- function h() {
- if (goo.arguments[0] == 23) return -42;
- return 42;
- }
- return x + y + h(y);
- }
- g(0);
- %OptimizeFunctionOnNextCall(g);
- a[i] = g(i);
+function base(number_of_properties) {
+ var result = new Array();
+ for (var i = 0; i < number_of_properties; i++) {
+ result["property" + i] = "value" + i;
}
+ result.foo = number_of_properties;
+ return result;
}
-f();
-assertEquals(42, a[0]);
-assertEquals(49, a[7]);
-assertEquals(-19, a[23]);
-
-
-
-
+var a = base(12);
+var b = base(13);
+var c = base(14);
+var d = base(15);
+
+crash(a); // Premonomorphic.
+crash(a);
+crash(b);
+crash(c);
+crash(d); // Polymorphic, degree 4.
+
+//Prepare ElementsKind transition map chain.
+var x = base(13);
+x[0] = "object";
+x = base(14);
+x[0] = "object";
+x = base(15);
+x[0] = "object";
+
+%OptimizeFunctionOnNextCall(crash);
+crash(a);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
