Reviewers: Jakob,
Description:
Merged r12413, r12414 into trunk branch.
Elements load depends on the type of the receiver.
Removed trailing whitespace.
[email protected]
BUG=
Please review this at https://chromiumcodereview.appspot.com/10907056/
SVN Base: https://v8.googlecode.com/svn/trunk
Affected files:
M src/hydrogen-instructions.h
M src/hydrogen.cc
M src/version.cc
A + test/mjsunit/regress/regress-load-elements.js
Index: src/hydrogen-instructions.h
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index
b5741c633bf8eaaf1f7e7f0670524b2c7aba6930..1cc0628900764d7f76d518e6e3e3967b6080429a
100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -2068,14 +2068,18 @@ class HUnaryMathOperation: public
HTemplateInstruction<2> {
};
-class HLoadElements: public HUnaryOperation {
+class HLoadElements: public HTemplateInstruction<2> {
public:
- explicit HLoadElements(HValue* value) : HUnaryOperation(value) {
+ HLoadElements(HValue* value, HValue* typecheck) {
+ SetOperandAt(0, value);
+ SetOperandAt(1, typecheck);
set_representation(Representation::Tagged());
SetFlag(kUseGVN);
SetGVNFlag(kDependsOnElementsPointer);
}
+ HValue* value() { return OperandAt(0); }
+
virtual Representation RequiredInputRepresentation(int index) {
return Representation::Tagged();
}
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
d2aba123922e05452c7bd2b65e8048137110b382..02720e1763812f2becde060788cc554540a1b013
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -5218,7 +5218,9 @@ void HGraphBuilder::VisitArrayLiteral(ArrayLiteral*
expr) {
HValue* value = Pop();
if (!Smi::IsValid(i)) return Bailout("Non-smi key in array literal");
- elements = new(zone()) HLoadElements(literal);
+ // Pass in literal as dummy depedency, since the receiver always has
+ // elements.
+ elements = new(zone()) HLoadElements(literal, literal);
AddInstruction(elements);
HValue* key = AddInstruction(
@@ -6186,7 +6188,8 @@ HInstruction*
HGraphBuilder::BuildUncheckedMonomorphicElementAccess(
}
bool fast_smi_only_elements = map->has_fast_smi_elements();
bool fast_elements = map->has_fast_object_elements();
- HInstruction* elements = AddInstruction(new(zone())
HLoadElements(object));
+ HInstruction* elements =
+ AddInstruction(new(zone()) HLoadElements(object, mapcheck));
if (is_store && (fast_elements || fast_smi_only_elements)) {
HCheckMaps* check_cow_map = new(zone()) HCheckMaps(
elements, isolate()->factory()->fixed_array_map(), zone());
@@ -6366,13 +6369,15 @@ HValue*
HGraphBuilder::HandlePolymorphicElementAccess(HValue* object,
return is_store ? NULL : instr;
}
- AddInstruction(HCheckInstanceType::NewIsSpecObject(object, zone()));
+ HInstruction* checkspec =
+ AddInstruction(HCheckInstanceType::NewIsSpecObject(object, zone()));
HBasicBlock* join = graph()->CreateBasicBlock();
HInstruction* elements_kind_instr =
AddInstruction(new(zone()) HElementsKind(object));
HCompareConstantEqAndBranch* elements_kind_branch = NULL;
- HInstruction* elements = AddInstruction(new(zone())
HLoadElements(object));
+ HInstruction* elements =
+ AddInstruction(new(zone()) HLoadElements(object, checkspec));
HLoadExternalArrayPointer* external_elements = NULL;
HInstruction* checked_key = NULL;
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
16a67e7db282987c5596ebc95e29e863c4bfc681..d807dbe7d0bd4c5cf30a55aa7f7a51e83b6d3bd8
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 13
#define BUILD_NUMBER 5
-#define PATCH_LEVEL 0
+#define PATCH_LEVEL 1
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-load-elements.js
diff --git a/test/mjsunit/compiler/optimized-closures.js
b/test/mjsunit/regress/regress-load-elements.js
similarity index 79%
copy from test/mjsunit/compiler/optimized-closures.js
copy to test/mjsunit/regress/regress-load-elements.js
index
eaf75f8d00ccd9123ed0f5232a91137845fc3973..68cdc8e8a1544f242b0881687cb024b7abc393bb
100644
--- a/test/mjsunit/compiler/optimized-closures.js
+++ b/test/mjsunit/regress/regress-load-elements.js
@@ -27,31 +27,23 @@
// Flags: --allow-natives-syntax
-// Test optimized closures.
-
-var a = new Array(100);
-
-function f() {
- var x=0;
- for (var i=0; i<100; i++) {
- var g = function goo(y) {
- function h() {
- if (goo.arguments[0] == 23) return -42;
- return 42;
- }
- return x + y + h(y);
- }
- g(0);
- %OptimizeFunctionOnNextCall(g);
- a[i] = g(i);
+function bad_func(o,a) {
+ for (var i = 0; i < 1; ++i) {
+ o.prop = 0;
+ var x = a[0];
}
}
-f();
-assertEquals(42, a[0]);
-assertEquals(49, a[7]);
-assertEquals(-19, a[23]);
-
-
+o = new Object();
+a = {};
+a[0] = 1;
+bad_func(o, a);
+o = new Object();
+bad_func(o, a);
+// Optimize. Before the fix, the elements-load and subsequent
fixed-array-length
+// were hoisted above the map check. This is invalid since not all types
+// necessarily have elements.
+%OptimizeFunctionOnNextCall(bad_func);
+bad_func(o, "");
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
