[v8-dev] Incorrect ARM assembly in MacroAssembler::TestJSArrayForAllocationSiteInfo (issue 12045017)

mvstanton Tue, 22 Jan 2013 02:16:21 -0800

Reviewers: Yang,

Message:

Hi Yang, here is the fix for the issue seen in the tests last night on ARM.I've

tested in the ARM simulator now.
Thanks,
--Michael



Description:
Incorrect ARM assembly in MacroAssembler::TestJSArrayForAllocationSiteInfo

Restored test code in allocation-site-info.js that was failing on ARMbecause of

this bug.

BUG=


Please review this at https://codereview.chromium.org/12045017/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/arm/macro-assembler-arm.cc
  M test/mjsunit/allocation-site-info.js


Index: src/arm/macro-assembler-arm.cc
diff --git a/src/arm/macro-assembler-arm.cc b/src/arm/macro-assembler-arm.cc

index7f641a7ae395b271101c14851e6dee2073fbb64a..89becca57e8bcc78e3aefe6f41dd8ed727de525a100644

--- a/src/arm/macro-assembler-arm.cc
+++ b/src/arm/macro-assembler-arm.cc

@@ -3888,11 +3888,13 @@ voidMacroAssembler::TestJSArrayForAllocationSiteInfo(

       ExternalReference::new_space_start(isolate());
   ExternalReference new_space_allocation_top =
       ExternalReference::new_space_allocation_top_address(isolate());
-  ldr(scratch_reg, FieldMemOperand(receiver_reg,
-      JSArray::kSize + AllocationSiteInfo::kSize - kHeapObjectTag));
+  add(scratch_reg, receiver_reg,

+ Operand(JSArray::kSize + AllocationSiteInfo::kSize -kHeapObjectTag));

   cmp(scratch_reg, Operand(new_space_start));
   b(lt, &no_info_available);
-  cmp(scratch_reg, Operand(new_space_allocation_top));
+  mov(ip, Operand(new_space_allocation_top));
+  ldr(ip, MemOperand(ip));
+  cmp(scratch_reg, ip);
   b(gt, &no_info_available);
   ldr(scratch_reg, MemOperand(scratch_reg, -AllocationSiteInfo::kSize));
   cmp(scratch_reg,
Index: test/mjsunit/allocation-site-info.js

diff --git a/test/mjsunit/allocation-site-info.jsb/test/mjsunit/allocation-site-info.jsindexf4263aff0c74eec6fe08c022b14a28036d43fb4c..3c8238710814be1beb7e55c3209fcd3840c898a5100644

--- a/test/mjsunit/allocation-site-info.js
+++ b/test/mjsunit/allocation-site-info.js
@@ -75,40 +75,52 @@ function assertKind(expected, obj, name_opt) {
 }

 if (support_smi_only_arrays) {
-    function fastliteralcase(value) {
-        var literal = [1, 2, 3];
-        literal[0] = value;
-        return literal;
-    }
+  function fastliteralcase(literal, value) {
+    // var literal = [1, 2, 3];
+    literal[0] = value;
+    return literal;
+  }
+
+  function get_standard_literal() {
+    var literal = [1, 2, 3];
+    return literal;
+  }

-    // Case: [1,2,3] as allocation site
-    obj = fastliteralcase(1);
-    assertKind(elements_kind.fast_smi_only, obj);
-    obj = fastliteralcase(1.5);
-    assertKind(elements_kind.fast_double, obj);
-    obj = fastliteralcase(2);
-    assertKind(elements_kind.fast_double, obj);
+  // Case: [1,2,3] as allocation site
+  obj = fastliteralcase(get_standard_literal(), 1);
+  assertKind(elements_kind.fast_smi_only, obj);
+  obj = fastliteralcase(get_standard_literal(), 1.5);
+  assertKind(elements_kind.fast_double, obj);
+  obj = fastliteralcase(get_standard_literal(), 2);
+  assertKind(elements_kind.fast_double, obj);

-    // Verify that we will not pretransition the double->fast path.
-    obj = fastliteralcase("elliot");
-    assertKind(elements_kind.fast, obj);
+  obj = fastliteralcase([5, 3, 2], 1.5);
+  assertKind(elements_kind.fast_double, obj);
+  obj = fastliteralcase([3, 6, 2], 1.5);
+  assertKind(elements_kind.fast_double, obj);
+  obj = fastliteralcase([2, 6, 3], 2);
+  assertKind(elements_kind.fast_smi_only, obj);

-    // This fails until we turn off optimistic transitions to the
-    // most general elements kind seen on keyed stores. It's a goal
-    // to turn it off, but for now we need it.
-    // obj = fastliteralcase(3);
-    // assertKind(elements_kind.fast_double, obj);
+  // Verify that we will not pretransition the double->fast path.
+  obj = fastliteralcase(get_standard_literal(), "elliot");
+  assertKind(elements_kind.fast, obj);

-    function fastliteralcase_smifast(value) {
-        var literal = [1, 2, 3, 4];
-        literal[0] = value;
-        return literal;
-    }
+  // This fails until we turn off optimistic transitions to the
+  // most general elements kind seen on keyed stores. It's a goal
+  // to turn it off, but for now we need it.
+  // obj = fastliteralcase(3);
+  // assertKind(elements_kind.fast_double, obj);

-    obj = fastliteralcase_smifast(1);
-    assertKind(elements_kind.fast_smi_only, obj);
-    obj = fastliteralcase_smifast("carter");
-    assertKind(elements_kind.fast, obj);
-    obj = fastliteralcase_smifast(2);
-    assertKind(elements_kind.fast, obj);
-}
\ No newline at end of file
+  function fastliteralcase_smifast(value) {
+    var literal = [1, 2, 3, 4];
+    literal[0] = value;
+    return literal;
+  }
+
+  obj = fastliteralcase_smifast(1);
+  assertKind(elements_kind.fast_smi_only, obj);
+  obj = fastliteralcase_smifast("carter");
+  assertKind(elements_kind.fast, obj);
+  obj = fastliteralcase_smifast(2);
+  assertKind(elements_kind.fast, obj);
+}


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

[v8-dev] Incorrect ARM assembly in MacroAssembler::TestJSArrayForAllocationSiteInfo (issue 12045017)

Reply via email to