Revision: 13451
Author: [email protected]
Date: Mon Jan 21 06:39:38 2013
Log: Version 3.16.7
Removed <(library) usage from v8.gyp. (Chromium issue 111541)
Fixed out of bounds memory access in TestJSArrayForAllocationSiteInfo.
(Chromium issue 169928)
Performance and stability improvements on all platforms.
http://code.google.com/p/v8/source/detail?r=13451
Modified:
/trunk/ChangeLog
/trunk/src/arm/macro-assembler-arm.cc
/trunk/src/flag-definitions.h
/trunk/src/global-handles.cc
/trunk/src/global-handles.h
/trunk/src/hydrogen.cc
/trunk/src/ia32/macro-assembler-ia32.cc
/trunk/src/mips/code-stubs-mips.cc
/trunk/src/mips/codegen-mips.cc
/trunk/src/mips/full-codegen-mips.cc
/trunk/src/mips/ic-mips.cc
/trunk/src/mips/lithium-codegen-mips.cc
/trunk/src/mips/lithium-codegen-mips.h
/trunk/src/mips/macro-assembler-mips.cc
/trunk/src/mips/stub-cache-mips.cc
/trunk/src/v8.cc
/trunk/src/version.cc
/trunk/src/x64/macro-assembler-x64.cc
/trunk/test/cctest/test-heap.cc
/trunk/test/mjsunit/allocation-site-info.js
/trunk/tools/gyp/v8.gyp
=======================================
--- /trunk/ChangeLog Fri Jan 18 08:29:40 2013
+++ /trunk/ChangeLog Mon Jan 21 06:39:38 2013
@@ -1,3 +1,14 @@
+2013-01-21: Version 3.16.7
+
+ Removed <(library) usage from v8.gyp.
+ (Chromium issue 111541)
+
+ Fixed out of bounds memory access in
TestJSArrayForAllocationSiteInfo.
+ (Chromium issue 169928)
+
+ Performance and stability improvements on all platforms.
+
+
2013-01-18: Version 3.16.6
Made the Isolate parameter mandatory in Locker and Unlocker
classes.
=======================================
--- /trunk/src/arm/macro-assembler-arm.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/arm/macro-assembler-arm.cc Mon Jan 21 06:39:38 2013
@@ -3889,12 +3889,12 @@
ExternalReference new_space_allocation_top =
ExternalReference::new_space_allocation_top_address(isolate());
ldr(scratch_reg, FieldMemOperand(receiver_reg,
- JSArray::kSize +
AllocationSiteInfo::kSize));
+ JSArray::kSize + AllocationSiteInfo::kSize - kHeapObjectTag));
cmp(scratch_reg, Operand(new_space_start));
b(lt, &no_info_available);
cmp(scratch_reg, Operand(new_space_allocation_top));
- b(hs, &no_info_available);
- ldr(scratch_reg, MemOperand(scratch_reg, 0));
+ b(gt, &no_info_available);
+ ldr(scratch_reg, MemOperand(scratch_reg, -AllocationSiteInfo::kSize));
cmp(scratch_reg,
Operand(Handle<Map>(isolate()->heap()->allocation_site_info_map())));
b(eq, allocation_info_present);
=======================================
--- /trunk/src/flag-definitions.h Fri Jan 18 08:29:40 2013
+++ /trunk/src/flag-definitions.h Mon Jan 21 06:39:38 2013
@@ -211,6 +211,8 @@
"perform array index dehoisting")
DEFINE_bool(dead_code_elimination, true, "use dead code elimination")
DEFINE_bool(trace_dead_code_elimination, false, "trace dead code
elimination")
+DEFINE_bool(unreachable_code_elimination, false,
+ "eliminate unreachable code (hidden behind soft deopts)")
DEFINE_bool(track_allocation_sites, true,
"Use allocation site info to reduce transitions")
DEFINE_bool(trace_osr, false, "trace on-stack replacement")
=======================================
--- /trunk/src/global-handles.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/global-handles.cc Mon Jan 21 06:39:38 2013
@@ -106,12 +106,6 @@
void Release(GlobalHandles* global_handles) {
ASSERT(state() != FREE);
- if (IsWeakRetainer()) {
- global_handles->number_of_weak_handles_--;
- if (object_->IsJSGlobalObject()) {
- global_handles->number_of_global_object_weak_handles_--;
- }
- }
set_state(FREE);
parameter_or_next_free_.next_free = global_handles->first_free_;
global_handles->first_free_ = this;
@@ -221,12 +215,6 @@
void* parameter,
WeakReferenceCallback callback) {
ASSERT(state() != FREE);
- if (!IsWeakRetainer()) {
- global_handles->number_of_weak_handles_++;
- if (object_->IsJSGlobalObject()) {
- global_handles->number_of_global_object_weak_handles_++;
- }
- }
set_state(WEAK);
set_parameter(parameter);
callback_ = callback;
@@ -234,12 +222,6 @@
void ClearWeakness(GlobalHandles* global_handles) {
ASSERT(state() != FREE);
- if (IsWeakRetainer()) {
- global_handles->number_of_weak_handles_--;
- if (object_->IsJSGlobalObject()) {
- global_handles->number_of_global_object_weak_handles_--;
- }
- }
set_state(NORMAL);
set_parameter(NULL);
}
@@ -421,8 +403,6 @@
GlobalHandles::GlobalHandles(Isolate* isolate)
: isolate_(isolate),
- number_of_weak_handles_(0),
- number_of_global_object_weak_handles_(0),
number_of_global_handles_(0),
first_block_(NULL),
first_used_block_(NULL),
@@ -512,16 +492,6 @@
if (it.node()->IsWeakRetainer())
v->VisitPointer(it.node()->location());
}
}
-
-
-void GlobalHandles::IterateWeakRoots(WeakReferenceGuest f,
- WeakReferenceCallback callback) {
- for (NodeIterator it(this); !it.done(); it.Advance()) {
- if (it.node()->IsWeak() && it.node()->callback() == callback) {
- f(it.node()->object(), it.node()->parameter());
- }
- }
-}
void GlobalHandles::IdentifyWeakHandles(WeakSlotCallback f) {
@@ -710,6 +680,29 @@
}
}
}
+
+
+int GlobalHandles::NumberOfWeakHandles() {
+ int count = 0;
+ for (NodeIterator it(this); !it.done(); it.Advance()) {
+ if (it.node()->IsWeakRetainer()) {
+ count++;
+ }
+ }
+ return count;
+}
+
+
+int GlobalHandles::NumberOfGlobalObjectWeakHandles() {
+ int count = 0;
+ for (NodeIterator it(this); !it.done(); it.Advance()) {
+ if (it.node()->IsWeakRetainer() &&
+ it.node()->object()->IsJSGlobalObject()) {
+ count++;
+ }
+ }
+ return count;
+}
void GlobalHandles::RecordStats(HeapStats* stats) {
=======================================
--- /trunk/src/global-handles.h Fri Jan 18 08:29:40 2013
+++ /trunk/src/global-handles.h Mon Jan 21 06:39:38 2013
@@ -108,8 +108,6 @@
};
-typedef void (*WeakReferenceGuest)(Object* object, void* parameter);
-
class GlobalHandles {
public:
~GlobalHandles();
@@ -130,16 +128,14 @@
void* parameter,
WeakReferenceCallback callback);
+ void RecordStats(HeapStats* stats);
+
// Returns the current number of weak handles.
- int NumberOfWeakHandles() { return number_of_weak_handles_; }
-
- void RecordStats(HeapStats* stats);
+ int NumberOfWeakHandles();
// Returns the current number of weak handles to global objects.
// These handles are also included in NumberOfWeakHandles().
- int NumberOfGlobalObjectWeakHandles() {
- return number_of_global_object_weak_handles_;
- }
+ int NumberOfGlobalObjectWeakHandles();
// Returns the current number of handles to global objects.
int NumberOfGlobalHandles() {
@@ -180,10 +176,6 @@
// Iterates over all weak roots in heap.
void IterateWeakRoots(ObjectVisitor* v);
- // Iterates over weak roots that are bound to a given callback.
- void IterateWeakRoots(WeakReferenceGuest f,
- WeakReferenceCallback callback);
-
// Find all weak handles satisfying the callback predicate, mark
// them as pending.
void IdentifyWeakHandles(WeakSlotCallback f);
@@ -255,14 +247,6 @@
Isolate* isolate_;
- // Field always containing the number of weak and near-death handles.
- int number_of_weak_handles_;
-
- // Field always containing the number of weak and near-death handles
- // to global objects. These objects are also included in
- // number_of_weak_handles_.
- int number_of_global_object_weak_handles_;
-
// Field always containing the number of handles to global objects.
int number_of_global_handles_;
=======================================
--- /trunk/src/hydrogen.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/hydrogen.cc Mon Jan 21 06:39:38 2013
@@ -1267,6 +1267,7 @@
void HGraph::NullifyUnreachableInstructions() {
+ if (!FLAG_unreachable_code_elimination) return;
int block_count = blocks_.length();
for (int i = 0; i < block_count; ++i) {
HBasicBlock* block = blocks_.at(i);
=======================================
--- /trunk/src/ia32/macro-assembler-ia32.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/ia32/macro-assembler-ia32.cc Mon Jan 21 06:39:38 2013
@@ -3055,18 +3055,19 @@
Register scratch_reg,
Label* allocation_info_present) {
Label no_info_available;
+
ExternalReference new_space_start =
ExternalReference::new_space_start(isolate());
ExternalReference new_space_allocation_top =
ExternalReference::new_space_allocation_top_address(isolate());
lea(scratch_reg, Operand(receiver_reg,
- JSArray::kSize + AllocationSiteInfo::kSize));
+ JSArray::kSize + AllocationSiteInfo::kSize - kHeapObjectTag));
cmp(scratch_reg, Immediate(new_space_start));
j(less, &no_info_available);
cmp(scratch_reg, Operand::StaticVariable(new_space_allocation_top));
- j(greater_equal, &no_info_available);
- cmp(MemOperand(scratch_reg, 0),
+ j(greater, &no_info_available);
+ cmp(MemOperand(scratch_reg, -AllocationSiteInfo::kSize),
Immediate(Handle<Map>(isolate()->heap()->allocation_site_info_map())));
j(equal, allocation_info_present);
bind(&no_info_available);
=======================================
--- /trunk/src/mips/code-stubs-mips.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/mips/code-stubs-mips.cc Mon Jan 21 06:39:38 2013
@@ -343,7 +343,7 @@
MacroAssembler* masm,
int length,
FastCloneShallowArrayStub::Mode mode,
- AllocationSiteInfoMode allocation_site_info_mode,
+ AllocationSiteMode allocation_site_mode,
Label* fail) {
// Registers on entry:
// a3: boilerplate literal array.
@@ -356,9 +356,10 @@
? FixedDoubleArray::SizeFor(length)
: FixedArray::SizeFor(length);
}
+
int size = JSArray::kSize;
int allocation_info_start = size;
- if (allocation_site_info_mode == TRACK_ALLOCATION_SITE_INFO) {
+ if (allocation_site_mode == TRACK_ALLOCATION_SITE) {
size += AllocationSiteInfo::kSize;
}
size += elements_size;
@@ -372,7 +373,7 @@
fail,
TAG_OBJECT);
- if (allocation_site_info_mode == TRACK_ALLOCATION_SITE_INFO) {
+ if (allocation_site_mode == TRACK_ALLOCATION_SITE) {
__ li(a2, Operand(Handle<Map>(masm->isolate()->heap()->
allocation_site_info_map())));
__ sw(a2, FieldMemOperand(v0, allocation_info_start));
@@ -391,7 +392,7 @@
// Get hold of the elements array of the boilerplate and setup the
// elements pointer in the resulting object.
__ lw(a3, FieldMemOperand(a3, JSArray::kElementsOffset));
- if (allocation_site_info_mode == TRACK_ALLOCATION_SITE_INFO) {
+ if (allocation_site_mode == TRACK_ALLOCATION_SITE) {
__ Addu(a2, v0, Operand(JSArray::kSize + AllocationSiteInfo::kSize));
} else {
__ Addu(a2, v0, Operand(JSArray::kSize));
@@ -424,21 +425,14 @@
__ Branch(&slow_case, eq, a3, Operand(t1));
FastCloneShallowArrayStub::Mode mode = mode_;
- AllocationSiteInfoMode allocation_site_info_mode =
- DONT_TRACK_ALLOCATION_SITE_INFO;
- if (mode == CLONE_ANY_ELEMENTS_WITH_ALLOCATION_SITE_INFO) {
- mode = CLONE_ANY_ELEMENTS;
- allocation_site_info_mode = TRACK_ALLOCATION_SITE_INFO;
- }
if (mode == CLONE_ANY_ELEMENTS) {
Label double_elements, check_fast_elements;
__ lw(v0, FieldMemOperand(a3, JSArray::kElementsOffset));
__ lw(v0, FieldMemOperand(v0, HeapObject::kMapOffset));
__ LoadRoot(t1, Heap::kFixedCOWArrayMapRootIndex);
__ Branch(&check_fast_elements, ne, v0, Operand(t1));
- GenerateFastCloneShallowArrayCommon(masm, 0,
- COPY_ON_WRITE_ELEMENTS,
- allocation_site_info_mode,
+ GenerateFastCloneShallowArrayCommon(masm, 0, COPY_ON_WRITE_ELEMENTS,
+ allocation_site_mode_,
&slow_case);
// Return and remove the on-stack parameters.
__ DropAndRet(3);
@@ -446,9 +440,8 @@
__ bind(&check_fast_elements);
__ LoadRoot(t1, Heap::kFixedArrayMapRootIndex);
__ Branch(&double_elements, ne, v0, Operand(t1));
- GenerateFastCloneShallowArrayCommon(masm, length_,
- CLONE_ELEMENTS,
- allocation_site_info_mode,
+ GenerateFastCloneShallowArrayCommon(masm, length_, CLONE_ELEMENTS,
+ allocation_site_mode_,
&slow_case);
// Return and remove the on-stack parameters.
__ DropAndRet(3);
@@ -481,7 +474,8 @@
}
GenerateFastCloneShallowArrayCommon(masm, length_, mode,
- allocation_site_info_mode,
&slow_case);
+ allocation_site_mode_,
+ &slow_case);
// Return and remove the on-stack parameters.
__ DropAndRet(3);
=======================================
--- /trunk/src/mips/codegen-mips.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/mips/codegen-mips.cc Mon Jan 21 06:39:38 2013
@@ -143,7 +143,8 @@
#define __ ACCESS_MASM(masm)
void ElementsTransitionGenerator::GenerateMapChangeElementsTransition(
- MacroAssembler* masm) {
+ MacroAssembler* masm, AllocationSiteMode mode,
+ Label* allocation_site_info_found) {
// ----------- S t a t e -------------
// -- a0 : value
// -- a1 : key
@@ -152,6 +153,12 @@
// -- a3 : target map, scratch for subsequent call
// -- t0 : scratch (elements)
// -----------------------------------
+ if (mode == TRACK_ALLOCATION_SITE) {
+ ASSERT(allocation_site_info_found != NULL);
+ masm->TestJSArrayForAllocationSiteInfo(a2, t0,
+ allocation_site_info_found);
+ }
+
// Set transitioned map.
__ sw(a3, FieldMemOperand(a2, HeapObject::kMapOffset));
__ RecordWriteField(a2,
@@ -166,7 +173,7 @@
void ElementsTransitionGenerator::GenerateSmiToDouble(
- MacroAssembler* masm, Label* fail) {
+ MacroAssembler* masm, AllocationSiteMode mode, Label* fail) {
// ----------- S t a t e -------------
// -- a0 : value
// -- a1 : key
@@ -180,7 +187,7 @@
Register scratch = t6;
- if (FLAG_track_allocation_sites) {
+ if (mode == TRACK_ALLOCATION_SITE) {
masm->TestJSArrayForAllocationSiteInfo(a2, t0, fail);
}
@@ -313,7 +320,7 @@
void ElementsTransitionGenerator::GenerateDoubleToObject(
- MacroAssembler* masm, Label* fail) {
+ MacroAssembler* masm, AllocationSiteMode mode, Label* fail) {
// ----------- S t a t e -------------
// -- a0 : value
// -- a1 : key
@@ -324,6 +331,10 @@
// -----------------------------------
Label entry, loop, convert_hole, gc_required, only_change_map;
+ if (mode == TRACK_ALLOCATION_SITE) {
+ masm->TestJSArrayForAllocationSiteInfo(a2, t0, fail);
+ }
+
// Check for empty arrays, which only require a map transition and no
changes
// to the backing store.
__ lw(t0, FieldMemOperand(a2, JSObject::kElementsOffset));
=======================================
--- /trunk/src/mips/full-codegen-mips.cc Wed Jan 9 08:32:23 2013
+++ /trunk/src/mips/full-codegen-mips.cc Mon Jan 21 06:39:38 2013
@@ -1730,7 +1730,9 @@
if (has_fast_elements && constant_elements_values->map() ==
isolate()->heap()->fixed_cow_array_map()) {
FastCloneShallowArrayStub stub(
- FastCloneShallowArrayStub::COPY_ON_WRITE_ELEMENTS, length);
+ FastCloneShallowArrayStub::COPY_ON_WRITE_ELEMENTS,
+ DONT_TRACK_ALLOCATION_SITE,
+ length);
__ CallStub(&stub);
__ IncrementCounter(isolate()->counters()->cow_arrays_created_stub(),
1, a1, a2);
@@ -1741,19 +1743,17 @@
} else {
ASSERT(IsFastSmiOrObjectElementsKind(constant_elements_kind) ||
FLAG_smi_only_arrays);
- FastCloneShallowArrayStub::Mode mode = has_fast_elements
- ? FastCloneShallowArrayStub::CLONE_ELEMENTS
- : FastCloneShallowArrayStub::CLONE_ANY_ELEMENTS;
+ FastCloneShallowArrayStub::Mode mode =
+ FastCloneShallowArrayStub::CLONE_ANY_ELEMENTS;
+ AllocationSiteMode allocation_site_mode = FLAG_track_allocation_sites
+ ? TRACK_ALLOCATION_SITE : DONT_TRACK_ALLOCATION_SITE;
- // Tracking allocation info allows us to pre-transition later if it
makes
- // sense.
- if (mode == FastCloneShallowArrayStub::CLONE_ANY_ELEMENTS &&
- FLAG_track_allocation_sites) {
- mode = FastCloneShallowArrayStub::
- CLONE_ANY_ELEMENTS_WITH_ALLOCATION_SITE_INFO;
+ if (has_fast_elements) {
+ mode = FastCloneShallowArrayStub::CLONE_ELEMENTS;
+ allocation_site_mode = DONT_TRACK_ALLOCATION_SITE;
}
- FastCloneShallowArrayStub stub(mode, length);
+ FastCloneShallowArrayStub stub(mode, allocation_site_mode, length);
__ CallStub(&stub);
}
=======================================
--- /trunk/src/mips/ic-mips.cc Wed Jan 9 08:32:23 2013
+++ /trunk/src/mips/ic-mips.cc Mon Jan 21 06:39:38 2013
@@ -1295,7 +1295,9 @@
t0,
slow);
ASSERT(receiver_map.is(a3)); // Transition code expects map in a3
- ElementsTransitionGenerator::GenerateSmiToDouble(masm, slow);
+ AllocationSiteMode mode = AllocationSiteInfo::GetMode(FAST_SMI_ELEMENTS,
+
FAST_DOUBLE_ELEMENTS);
+ ElementsTransitionGenerator::GenerateSmiToDouble(masm, mode, slow);
__ lw(elements, FieldMemOperand(receiver, JSObject::kElementsOffset));
__ jmp(&fast_double_without_map_check);
@@ -1307,7 +1309,9 @@
t0,
slow);
ASSERT(receiver_map.is(a3)); // Transition code expects map in a3
- ElementsTransitionGenerator::GenerateMapChangeElementsTransition(masm);
+ mode = AllocationSiteInfo::GetMode(FAST_SMI_ELEMENTS, FAST_ELEMENTS);
+ ElementsTransitionGenerator::GenerateMapChangeElementsTransition(masm,
mode,
+ slow);
__ lw(elements, FieldMemOperand(receiver, JSObject::kElementsOffset));
__ jmp(&finish_object_store);
@@ -1321,7 +1325,8 @@
t0,
slow);
ASSERT(receiver_map.is(a3)); // Transition code expects map in a3
- ElementsTransitionGenerator::GenerateDoubleToObject(masm, slow);
+ mode = AllocationSiteInfo::GetMode(FAST_DOUBLE_ELEMENTS, FAST_ELEMENTS);
+ ElementsTransitionGenerator::GenerateDoubleToObject(masm, mode, slow);
__ lw(elements, FieldMemOperand(receiver, JSObject::kElementsOffset));
__ jmp(&finish_object_store);
}
@@ -1505,7 +1510,9 @@
// Must return the modified receiver in v0.
if (!FLAG_trace_elements_transitions) {
Label fail;
- ElementsTransitionGenerator::GenerateSmiToDouble(masm, &fail);
+ AllocationSiteMode mode =
AllocationSiteInfo::GetMode(FAST_SMI_ELEMENTS,
+
FAST_DOUBLE_ELEMENTS);
+ ElementsTransitionGenerator::GenerateSmiToDouble(masm, mode, &fail);
__ Ret(USE_DELAY_SLOT);
__ mov(v0, a2);
__ bind(&fail);
@@ -1526,7 +1533,9 @@
// Must return the modified receiver in v0.
if (!FLAG_trace_elements_transitions) {
Label fail;
- ElementsTransitionGenerator::GenerateDoubleToObject(masm, &fail);
+ AllocationSiteMode mode =
AllocationSiteInfo::GetMode(FAST_DOUBLE_ELEMENTS,
+ FAST_ELEMENTS);
+ ElementsTransitionGenerator::GenerateDoubleToObject(masm, mode, &fail);
__ Ret(USE_DELAY_SLOT);
__ mov(v0, a2);
__ bind(&fail);
=======================================
--- /trunk/src/mips/lithium-codegen-mips.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/mips/lithium-codegen-mips.cc Mon Jan 21 06:39:38 2013
@@ -5118,6 +5118,8 @@
Handle<FixedArray> literals(instr->environment()->closure()->literals());
ElementsKind boilerplate_elements_kind =
instr->hydrogen()->boilerplate_elements_kind();
+ AllocationSiteMode allocation_site_mode =
+ instr->hydrogen()->allocation_site_mode();
// Deopt if the array literal boilerplate ElementsKind is of a type
different
// than the expected one. The check isn't necessary if the boilerplate
has
@@ -5151,7 +5153,7 @@
ASSERT(instr->hydrogen()->depth() == 1);
FastCloneShallowArrayStub::Mode mode =
FastCloneShallowArrayStub::COPY_ON_WRITE_ELEMENTS;
- FastCloneShallowArrayStub stub(mode, length);
+ FastCloneShallowArrayStub stub(mode, DONT_TRACK_ALLOCATION_SITE,
length);
CallCode(stub.GetCode(), RelocInfo::CODE_TARGET, instr);
} else if (instr->hydrogen()->depth() > 1) {
CallRuntime(Runtime::kCreateArrayLiteral, 3, instr);
@@ -5160,9 +5162,9 @@
} else {
FastCloneShallowArrayStub::Mode mode =
boilerplate_elements_kind == FAST_DOUBLE_ELEMENTS
- ? FastCloneShallowArrayStub::CLONE_DOUBLE_ELEMENTS
- : FastCloneShallowArrayStub::CLONE_ELEMENTS;
- FastCloneShallowArrayStub stub(mode, length);
+ ? FastCloneShallowArrayStub::CLONE_DOUBLE_ELEMENTS
+ : FastCloneShallowArrayStub::CLONE_ELEMENTS;
+ FastCloneShallowArrayStub stub(mode, allocation_site_mode, length);
CallCode(stub.GetCode(), RelocInfo::CODE_TARGET, instr);
}
}
@@ -5171,10 +5173,14 @@
void LCodeGen::EmitDeepCopy(Handle<JSObject> object,
Register result,
Register source,
- int* offset) {
+ int* offset,
+ AllocationSiteMode mode) {
ASSERT(!source.is(a2));
ASSERT(!result.is(a2));
+ bool create_allocation_site_info = mode == TRACK_ALLOCATION_SITE &&
+ object->map()->CanTrackAllocationSite();
+
// Only elements backing stores for non-COW arrays need to be copied.
Handle<FixedArrayBase> elements(object->elements());
bool has_elements = elements->length() > 0 &&
@@ -5184,8 +5190,13 @@
// this object and its backing store.
int object_offset = *offset;
int object_size = object->map()->instance_size();
+ int elements_size = has_elements ? elements->Size() : 0;
int elements_offset = *offset + object_size;
- int elements_size = has_elements ? elements->Size() : 0;
+ if (create_allocation_site_info) {
+ elements_offset += AllocationSiteInfo::kSize;
+ *offset += AllocationSiteInfo::kSize;
+ }
+
*offset += object_size + elements_size;
// Copy object header.
@@ -5210,7 +5221,8 @@
__ Addu(a2, result, Operand(*offset));
__ sw(a2, FieldMemOperand(result, total_offset));
__ LoadHeapObject(source, value_object);
- EmitDeepCopy(value_object, result, source, offset);
+ EmitDeepCopy(value_object, result, source, offset,
+ DONT_TRACK_ALLOCATION_SITE);
} else if (value->IsHeapObject()) {
__ LoadHeapObject(a2, Handle<HeapObject>::cast(value));
__ sw(a2, FieldMemOperand(result, total_offset));
@@ -5220,6 +5232,13 @@
}
}
+ // Build Allocation Site Info if desired
+ if (create_allocation_site_info) {
+ __ li(a2, Operand(Handle<Map>(isolate()->heap()->
+ allocation_site_info_map())));
+ __ sw(a2, FieldMemOperand(result, object_size));
+ __ sw(source, FieldMemOperand(result, object_size + kPointerSize));
+ }
if (has_elements) {
// Copy elements backing store header.
@@ -5256,7 +5275,8 @@
__ Addu(a2, result, Operand(*offset));
__ sw(a2, FieldMemOperand(result, total_offset));
__ LoadHeapObject(source, value_object);
- EmitDeepCopy(value_object, result, source, offset);
+ EmitDeepCopy(value_object, result, source, offset,
+ DONT_TRACK_ALLOCATION_SITE);
} else if (value->IsHeapObject()) {
__ LoadHeapObject(a2, Handle<HeapObject>::cast(value));
__ sw(a2, FieldMemOperand(result, total_offset));
@@ -5307,7 +5327,8 @@
__ bind(&allocated);
int offset = 0;
__ LoadHeapObject(a1, instr->hydrogen()->boilerplate());
- EmitDeepCopy(instr->hydrogen()->boilerplate(), v0, a1, &offset);
+ EmitDeepCopy(instr->hydrogen()->boilerplate(), v0, a1, &offset,
+ instr->hydrogen()->allocation_site_mode());
ASSERT_EQ(size, offset);
}
=======================================
--- /trunk/src/mips/lithium-codegen-mips.h Wed Jan 9 08:32:23 2013
+++ /trunk/src/mips/lithium-codegen-mips.h Mon Jan 21 06:39:38 2013
@@ -375,7 +375,8 @@
void EmitDeepCopy(Handle<JSObject> object,
Register result,
Register source,
- int* offset);
+ int* offset,
+ AllocationSiteMode mode);
struct JumpTableEntry {
inline JumpTableEntry(Address entry, bool frame, bool is_lazy)
=======================================
--- /trunk/src/mips/macro-assembler-mips.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/mips/macro-assembler-mips.cc Mon Jan 21 06:39:38 2013
@@ -5455,11 +5455,11 @@
ExternalReference new_space_allocation_top =
ExternalReference::new_space_allocation_top_address(isolate());
lw(scratch_reg, FieldMemOperand(receiver_reg,
- JSArray::kSize +
AllocationSiteInfo::kSize));
+ JSArray::kSize + AllocationSiteInfo::kSize - kHeapObjectTag));
Branch(&no_info_available, lt, scratch_reg, Operand(new_space_start));
- Branch(&no_info_available, hs, scratch_reg,
+ Branch(&no_info_available, gt, scratch_reg,
Operand(new_space_allocation_top));
- lw(scratch_reg, MemOperand(scratch_reg));
+ lw(scratch_reg, MemOperand(scratch_reg, -AllocationSiteInfo::kSize));
Branch(allocation_info_present, eq, scratch_reg,
Operand(Handle<Map>(isolate()->heap()->allocation_site_info_map())));
bind(&no_info_available);
=======================================
--- /trunk/src/mips/stub-cache-mips.cc Wed Jan 9 08:32:23 2013
+++ /trunk/src/mips/stub-cache-mips.cc Mon Jan 21 06:39:38 2013
@@ -1693,7 +1693,9 @@
&try_holey_map);
__ mov(a2, receiver);
ElementsTransitionGenerator::
- GenerateMapChangeElementsTransition(masm());
+ GenerateMapChangeElementsTransition(masm(),
+ DONT_TRACK_ALLOCATION_SITE,
+ NULL);
__ jmp(&fast_object);
__ bind(&try_holey_map);
@@ -1704,7 +1706,9 @@
&call_builtin);
__ mov(a2, receiver);
ElementsTransitionGenerator::
- GenerateMapChangeElementsTransition(masm());
+ GenerateMapChangeElementsTransition(masm(),
+ DONT_TRACK_ALLOCATION_SITE,
+ NULL);
__ bind(&fast_object);
} else {
__ CheckFastObjectElements(a3, a3, &call_builtin);
=======================================
--- /trunk/src/v8.cc Mon Nov 26 06:53:56 2012
+++ /trunk/src/v8.cc Mon Jan 21 06:39:38 2013
@@ -63,8 +63,6 @@
bool V8::Initialize(Deserializer* des) {
- FlagList::EnforceFlagImplications();
-
InitializeOncePerProcess();
// The current thread may not yet had entered an isolate to run.
@@ -263,31 +261,20 @@
}
void V8::InitializeOncePerProcessImpl() {
+ FlagList::EnforceFlagImplications();
+ if (FLAG_stress_compaction) {
+ FLAG_force_marking_deque_overflows = true;
+ FLAG_gc_global = true;
+ FLAG_max_new_space_size = (1 << (kPageSizeBits - 10)) * 2;
+ }
OS::SetUp();
-
- use_crankshaft_ = FLAG_crankshaft;
-
- if (Serializer::enabled()) {
- use_crankshaft_ = false;
- }
-
CPU::SetUp();
- if (!CPU::SupportsCrankshaft()) {
- use_crankshaft_ = false;
- }
-
+ use_crankshaft_ = FLAG_crankshaft
+ && !Serializer::enabled()
+ && CPU::SupportsCrankshaft();
OS::PostSetUp();
-
RuntimeProfiler::GlobalSetUp();
-
ElementsAccessor::InitializeOncePerProcess();
-
- if (FLAG_stress_compaction) {
- FLAG_force_marking_deque_overflows = true;
- FLAG_gc_global = true;
- FLAG_max_new_space_size = (1 << (kPageSizeBits - 10)) * 2;
- }
-
LOperand::SetUpCaches();
SetUpJSCallerSavedCodeData();
SamplerRegistry::SetUp();
=======================================
--- /trunk/src/version.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/version.cc Mon Jan 21 06:39:38 2013
@@ -34,7 +34,7 @@
// cannot be changed without changing the SCons build script.
#define MAJOR_VERSION 3
#define MINOR_VERSION 16
-#define BUILD_NUMBER 6
+#define BUILD_NUMBER 7
#define PATCH_LEVEL 0
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
=======================================
--- /trunk/src/x64/macro-assembler-x64.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/x64/macro-assembler-x64.cc Mon Jan 21 06:39:38 2013
@@ -4615,13 +4615,13 @@
ExternalReference::new_space_allocation_top_address(isolate());
lea(scratch_reg, Operand(receiver_reg,
- JSArray::kSize + AllocationSiteInfo::kSize));
+ JSArray::kSize + AllocationSiteInfo::kSize - kHeapObjectTag));
movq(kScratchRegister, new_space_start);
cmpq(scratch_reg, kScratchRegister);
j(less, &no_info_available);
cmpq(scratch_reg, ExternalOperand(new_space_allocation_top));
- j(greater_equal, &no_info_available);
- CompareRoot(MemOperand(scratch_reg, 0),
+ j(greater, &no_info_available);
+ CompareRoot(MemOperand(scratch_reg, -AllocationSiteInfo::kSize),
Heap::kAllocationSiteInfoMapRootIndex);
j(equal, allocation_info_present);
bind(&no_info_available);
=======================================
--- /trunk/test/cctest/test-heap.cc Fri Jan 18 08:29:40 2013
+++ /trunk/test/cctest/test-heap.cc Mon Jan 21 06:39:38 2013
@@ -2694,3 +2694,87 @@
HEAP->CollectAllGarbage(Heap::kNoGCFlags);
CHECK(shared1->code()->gc_metadata() == NULL);
}
+
+
+// Helper function that simulates a fill new-space in the heap.
+static inline void AllocateAllButNBytes(v8::internal::NewSpace* space,
+ int extra_bytes) {
+ int space_remaining = static_cast<int>(
+ *space->allocation_limit_address() -
*space->allocation_top_address());
+ CHECK(space_remaining >= extra_bytes);
+ int new_linear_size = space_remaining - extra_bytes;
+ v8::internal::MaybeObject* maybe = space->AllocateRaw(new_linear_size);
+ v8::internal::FreeListNode* node =
v8::internal::FreeListNode::cast(maybe);
+ node->set_size(space->heap(), new_linear_size);
+}
+
+
+TEST(Regress169928) {
+ i::FLAG_allow_natives_syntax = true;
+ i::FLAG_crankshaft = false;
+ InitializeVM();
+ v8::HandleScope scope;
+
+ // Some flags turn Scavenge collections into Mark-sweep collections
+ // and hence are incompatible with this test case.
+ if (FLAG_gc_global || FLAG_stress_compaction) return;
+
+ // Prepare the environment
+ CompileRun("function fastliteralcase(literal, value) {"
+ " literal[0] = value;"
+ " return literal;"
+ "}"
+ "function get_standard_literal() {"
+ " var literal = [1, 2, 3];"
+ " return literal;"
+ "}"
+ "obj = fastliteralcase(get_standard_literal(), 1);"
+ "obj = fastliteralcase(get_standard_literal(), 1.5);"
+ "obj = fastliteralcase(get_standard_literal(), 2);");
+
+ // prepare the heap
+ v8::Local<v8::String> mote_code_string =
+ v8_str("fastliteralcase(mote, 2.5);");
+
+ v8::Local<v8::String> array_name = v8_str("mote");
+ v8::Context::GetCurrent()->Global()->Set(array_name, v8::Int32::New(0));
+
+ // First make sure we flip spaces
+ HEAP->CollectGarbage(NEW_SPACE);
+
+ // Allocate the object.
+ Handle<FixedArray> array_data = FACTORY->NewFixedArray(2, NOT_TENURED);
+ array_data->set(0, Smi::FromInt(1));
+ array_data->set(1, Smi::FromInt(2));
+
+ AllocateAllButNBytes(HEAP->new_space(),
+ JSArray::kSize + AllocationSiteInfo::kSize +
+ kPointerSize);
+
+ Handle<JSArray> array = FACTORY->NewJSArrayWithElements(array_data,
+
FAST_SMI_ELEMENTS,
+ NOT_TENURED);
+
+ CHECK_EQ(Smi::FromInt(2), array->length());
+ CHECK(array->HasFastSmiOrObjectElements());
+
+ // We need filler the size of AllocationSiteInfo object, plus an extra
+ // fill pointer value.
+ MaybeObject* maybe_object = HEAP->AllocateRaw(
+ AllocationSiteInfo::kSize + kPointerSize, NEW_SPACE,
OLD_POINTER_SPACE);
+ Object* obj = NULL;
+ CHECK(maybe_object->ToObject(&obj));
+ Address addr_obj = reinterpret_cast<Address>(
+ reinterpret_cast<byte*>(obj - kHeapObjectTag));
+ HEAP->CreateFillerObjectAt(addr_obj,
+ AllocationSiteInfo::kSize + kPointerSize);
+
+ // Give the array a name, making sure not to allocate strings.
+ v8::Handle<v8::Object> array_obj = v8::Utils::ToLocal(array);
+ v8::Context::GetCurrent()->Global()->Set(array_name, array_obj);
+
+ // This should crash with a protection violation if we are running a
build
+ // with the bug.
+ AlwaysAllocateScope aa_scope;
+ v8::Script::Compile(mote_code_string)->Run();
+}
=======================================
--- /trunk/test/mjsunit/allocation-site-info.js Fri Jan 18 08:29:40 2013
+++ /trunk/test/mjsunit/allocation-site-info.js Mon Jan 21 06:39:38 2013
@@ -75,40 +75,52 @@
}
if (support_smi_only_arrays) {
- function fastliteralcase(value) {
- var literal = [1, 2, 3];
- literal[0] = value;
- return literal;
- }
+ function fastliteralcase(literal, value) {
+ // var literal = [1, 2, 3];
+ literal[0] = value;
+ return literal;
+ }
- // Case: [1,2,3] as allocation site
- obj = fastliteralcase(1);
- assertKind(elements_kind.fast_smi_only, obj);
- obj = fastliteralcase(1.5);
- assertKind(elements_kind.fast_double, obj);
- obj = fastliteralcase(2);
- assertKind(elements_kind.fast_double, obj);
+ function get_standard_literal() {
+ var literal = [1, 2, 3];
+ return literal;
+ }
- // Verify that we will not pretransition the double->fast path.
- obj = fastliteralcase("elliot");
- assertKind(elements_kind.fast, obj);
+ // Case: [1,2,3] as allocation site
+ obj = fastliteralcase(get_standard_literal(), 1);
+ assertKind(elements_kind.fast_smi_only, obj);
+ obj = fastliteralcase(get_standard_literal(), 1.5);
+ assertKind(elements_kind.fast_double, obj);
+ obj = fastliteralcase(get_standard_literal(), 2);
+ assertKind(elements_kind.fast_double, obj);
- // This fails until we turn off optimistic transitions to the
- // most general elements kind seen on keyed stores. It's a goal
- // to turn it off, but for now we need it.
- // obj = fastliteralcase(3);
- // assertKind(elements_kind.fast_double, obj);
+ obj = fastliteralcase([5, 3, 2], 1.5);
+ assertKind(elements_kind.fast_double, obj);
+ obj = fastliteralcase([3, 6, 2], 1.5);
+ assertKind(elements_kind.fast_double, obj);
+ obj = fastliteralcase([2, 6, 3], 2);
+ assertKind(elements_kind.fast_smi_only, obj);
+
+ // Verify that we will not pretransition the double->fast path.
+ obj = fastliteralcase(get_standard_literal(), "elliot");
+ assertKind(elements_kind.fast, obj);
+
+ // This fails until we turn off optimistic transitions to the
+ // most general elements kind seen on keyed stores. It's a goal
+ // to turn it off, but for now we need it.
+ // obj = fastliteralcase(3);
+ // assertKind(elements_kind.fast_double, obj);
- function fastliteralcase_smifast(value) {
- var literal = [1, 2, 3, 4];
- literal[0] = value;
- return literal;
- }
+ function fastliteralcase_smifast(value) {
+ var literal = [1, 2, 3, 4];
+ literal[0] = value;
+ return literal;
+ }
- obj = fastliteralcase_smifast(1);
- assertKind(elements_kind.fast_smi_only, obj);
- obj = fastliteralcase_smifast("carter");
- assertKind(elements_kind.fast, obj);
- obj = fastliteralcase_smifast(2);
- assertKind(elements_kind.fast, obj);
+ obj = fastliteralcase_smifast(1);
+ assertKind(elements_kind.fast_smi_only, obj);
+ obj = fastliteralcase_smifast("carter");
+ assertKind(elements_kind.fast, obj);
+ obj = fastliteralcase_smifast(2);
+ assertKind(elements_kind.fast, obj);
}
=======================================
--- /trunk/tools/gyp/v8.gyp Fri Jan 18 08:29:40 2013
+++ /trunk/tools/gyp/v8.gyp Mon Jan 21 06:39:38 2013
@@ -99,7 +99,7 @@
},
{
'target_name': 'v8_snapshot',
- 'type': '<(library)',
+ 'type': 'static_library',
'conditions': [
['want_separate_host_toolset==1', {
'toolsets': ['host', 'target'],
@@ -190,7 +190,7 @@
},
{
'target_name': 'v8_nosnapshot',
- 'type': '<(library)',
+ 'type': 'static_library',
'dependencies': [
'v8_base',
],
@@ -220,7 +220,7 @@
},
{
'target_name': 'v8_base',
- 'type': '<(library)',
+ 'type': 'static_library',
'variables': {
'optimize': 'max',
},
@@ -908,7 +908,7 @@
},
{
'target_name': 'preparser_lib',
- 'type': '<(library)',
+ 'type': 'static_library',
'include_dirs+': [
'../../src',
],
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
