[v8-dev] Fast literals: fixed initialization of non-copied in-object property fields (issue 16190008)

Fri, 31 May 2013 08:43:33 -0700 

Reviewers: Michael Starzinger,

Message:
PTAL.

Description:
Fast literals: fixed initialization of non-copied in-object property fields

BUG=chromium:245424

Please review this at https://codereview.chromium.org/16190008/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/hydrogen.cc
  A + test/mjsunit/regress/regress-crbug-245424.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 54a522506287259d83a7684002e5ad1fac33fc07..7ee6081026b7c58a786a3e3a5985a69259b1f787 100644 
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -10059,7 +10059,9 @@ void HOptimizedGraphBuilder::BuildEmitInObjectProperties( 
       HConstant(isolate()->factory()->one_pointer_filler_map(),
           Representation::Tagged()));
   for (int i = copied_fields; i < inobject_properties; i++) {
-    HObjectAccess access = HObjectAccess::ForJSObjectOffset(i);
+    ASSERT(boilerplate_object->IsJSObject());
+    int property_offset = boilerplate_object->GetInObjectPropertyOffset(i);
+ HObjectAccess access = HObjectAccess::ForJSObjectOffset(property_offset); 
     AddStore(object_properties, access, value_instruction);
   }
 }
Index: test/mjsunit/regress/regress-crbug-245424.js
diff --git a/test/mjsunit/regress/regress-crbug-173974.js b/test/mjsunit/regress/regress-crbug-245424.js 
similarity index 90%
copy from test/mjsunit/regress/regress-crbug-173974.js
copy to test/mjsunit/regress/regress-crbug-245424.js
index 905bd6058a0ad0fe2ebe10e4c7dafbe9945cbe3b..804332c97494d1336953f7e0ae529fd720bc1c6e 100644 
--- a/test/mjsunit/regress/regress-crbug-173974.js
+++ b/test/mjsunit/regress/regress-crbug-245424.js
@@ -27,10 +27,15 @@

 // Flags: --allow-natives-syntax

-function f() {
-  var count = "";
-  count[0] --;
+function boom() {
+  var a = {
+    foo: "bar",
+    foo: "baz"
+  };
+  return a;
 }
-f();
-%OptimizeFunctionOnNextCall(f);
-f();
+
+print(boom().foo);
+print(boom().foo);
+%OptimizeFunctionOnNextCall(boom);
+print(boom().foo);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to