[v8-dev] Merged r14584, r14596 into 3.18 branch. (issue 15023016)

Mon, 13 May 2013 02:31:37 -0700 

Reviewers: Sven Panne,

Description:
Merged r14584, r14596 into 3.18 branch.

Do not change environment between simulate and scope with no observable
side-effects in HandlePropertyAssignment.
Fix environment in HOptimizedGraphBuilder::VisitCountOperation. Follow-up for 
r14584.

BUG=v8:2671,v8:2671
[email protected]

Please review this at https://chromiumcodereview.appspot.com/15023016/

SVN Base: https://v8.googlecode.com/svn/branches/3.18

Affected files:
  M src/hydrogen.cc
  M src/version.cc
  A + test/mjsunit/regress/regress-2671-1.js
  A + test/mjsunit/regress/regress-2671.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index ec98dc64a2d72495ba0a979ed8bd7b8322b2b953..617a96fba6f144cc39b6f9e2e8ca0c8dc74b035a 100644 
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -7274,14 +7274,15 @@ void HOptimizedGraphBuilder::HandlePropertyAssignment(Assignment* expr) { 
     // Keyed store.
     CHECK_ALIVE(VisitForValue(prop->key()));
     CHECK_ALIVE(VisitForValue(expr->value()));
-    HValue* value = Pop();
-    HValue* key = Pop();
-    HValue* object = Pop();
+    HValue* value = environment()->ExpressionStackAt(0);
+    HValue* key = environment()->ExpressionStackAt(1);
+    HValue* object = environment()->ExpressionStackAt(2);
     bool has_side_effects = false;
HandleKeyedElementAccess(object, key, value, expr, expr->AssignmentId(), 
                              expr->position(),
                              true,  // is_store
                              &has_side_effects);
+    Drop(3);
     Push(value);
     AddSimulate(expr->AssignmentId(), REMOVABLE_SIMULATE);
     return ast_context()->ReturnValue(Pop());
@@ -10013,7 +10014,7 @@ void HOptimizedGraphBuilder::VisitCountOperation(CountOperation* expr) { if (has_side_effects) AddSimulate(prop->LoadId(), REMOVABLE_SIMULATE); 

       after = BuildIncrement(returns_original_input, expr);
-      input = Pop();
+      input = environment()->ExpressionStackAt(0);

       expr->RecordTypeFeedback(oracle(), zone());
       HandleKeyedElementAccess(obj, key, after, expr, expr->AssignmentId(),
@@ -10021,10 +10022,10 @@ void HOptimizedGraphBuilder::VisitCountOperation(CountOperation* expr) { 
                                true,  // is_store
                                &has_side_effects);

-      // Drop the key from the bailout environment.  Overwrite the receiver
-      // with the result of the operation, and the placeholder with the
-      // original value if necessary.
-      Drop(1);
+      // Drop the key and the original value from the bailout environment.
+      // Overwrite the receiver with the result of the operation, and the
+      // placeholder with the original value if necessary.
+      Drop(2);
       environment()->SetExpressionStackAt(0, after);
if (returns_original_input) environment()->SetExpressionStackAt(1, input); 
       ASSERT(has_side_effects);  // Stores always have side effects.
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index 733d2343b209d261b0f1e5e211b8d8758aa47dc3..5b29a6a80b16064a61cd966df4ba2f6e346cd404 100644 
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     18
 #define BUILD_NUMBER      5
-#define PATCH_LEVEL       3
+#define PATCH_LEVEL       4
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-2671-1.js
diff --git a/test/mjsunit/regress/regress-crbug-173974.js b/test/mjsunit/regress/regress-2671-1.js 
similarity index 93%
copy from test/mjsunit/regress/regress-crbug-173974.js
copy to test/mjsunit/regress/regress-2671-1.js
index 905bd6058a0ad0fe2ebe10e4c7dafbe9945cbe3b..042a501e5adb86cd7d868ec721edef8edde27274 100644 
--- a/test/mjsunit/regress/regress-crbug-173974.js
+++ b/test/mjsunit/regress/regress-2671-1.js
@@ -27,10 +27,19 @@

 // Flags: --allow-natives-syntax

+var y;
 function f() {
-  var count = "";
-  count[0] --;
+  var a = [];
+  a[20] = 0;
+  y = 3;
+  var i = 7 * (y + -0);
+  a[i]++;
+  assertTrue(isNaN(a[i]));
 }
+
+f();
+f();
 f();
 %OptimizeFunctionOnNextCall(f);
 f();
+
Index: test/mjsunit/regress/regress-2671.js
diff --git a/test/mjsunit/regress/regress-crbug-173974.js b/test/mjsunit/regress/regress-2671.js 
similarity index 93%
copy from test/mjsunit/regress/regress-crbug-173974.js
copy to test/mjsunit/regress/regress-2671.js
index 905bd6058a0ad0fe2ebe10e4c7dafbe9945cbe3b..8da1b8f07f69c487fe9913e485c60f3e257e0986 100644 
--- a/test/mjsunit/regress/regress-crbug-173974.js
+++ b/test/mjsunit/regress/regress-2671.js
@@ -27,10 +27,19 @@

 // Flags: --allow-natives-syntax

+var y;
 function f() {
-  var count = "";
-  count[0] --;
+  var a = [];
+  a[20] = 0;
+  y = 3;
+  var i = 7 * (y + -0);
+  a[i] = 1/y;
+  assertFalse(isNaN(a[i]));
 }
+
+f();
+f();
 f();
 %OptimizeFunctionOnNextCall(f);
 f();
+


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to