Reviewers: danno,
Message:
Hi Danno, here is the CL we talked about. Could you have a look?
Thanks,
--Michael
Description:
Special Array constructor type feedback erroneously recorded when Array
was called as a function. Issue was found with optimize_constructed_array
turned on. This patch makes the fix, and turns the flag back on.
BUG=244461
Please review this at https://codereview.chromium.org/16057005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/arm/code-stubs-arm.cc
M src/flag-definitions.h
M src/ia32/code-stubs-ia32.cc
M src/mips/code-stubs-mips.cc
M src/x64/code-stubs-x64.cc
M test/mjsunit/allocation-site-info.js
A + test/mjsunit/regress/regress-crbug-244461.js
Index: src/arm/code-stubs-arm.cc
diff --git a/src/arm/code-stubs-arm.cc b/src/arm/code-stubs-arm.cc
index
20d4da5e7f64d08c1e7812839d51b36e00c87bbc..c15ecb245e5e24d4aca82ca9fe4ee91b91db4909
100644
--- a/src/arm/code-stubs-arm.cc
+++ b/src/arm/code-stubs-arm.cc
@@ -4588,7 +4588,6 @@ static void
GenerateRecordCallTargetNoArray(MacroAssembler* masm) {
// megamorphic.
// r1 : the function to call
// r2 : cache cell for call target
- ASSERT(!FLAG_optimize_constructed_arrays);
Label done;
ASSERT_EQ(*TypeFeedbackCells::MegamorphicSentinel(masm->isolate()),
@@ -4732,11 +4731,7 @@ void CallFunctionStub::Generate(MacroAssembler*
masm) {
__ b(ne, &slow);
if (RecordCallTarget()) {
- if (FLAG_optimize_constructed_arrays) {
- GenerateRecordCallTarget(masm);
- } else {
- GenerateRecordCallTargetNoArray(masm);
- }
+ GenerateRecordCallTargetNoArray(masm);
}
// Fast-case: Invoke the function now.
Index: src/flag-definitions.h
diff --git a/src/flag-definitions.h b/src/flag-definitions.h
index
2023d6ebc97f561f4caf26edbeb9ccdda94f41a7..8fe6778e67cc26093d8079594351d2c040fa0529
100644
--- a/src/flag-definitions.h
+++ b/src/flag-definitions.h
@@ -258,7 +258,7 @@ DEFINE_bool(unreachable_code_elimination, false,
"eliminate unreachable code (hidden behind soft deopts)")
DEFINE_bool(track_allocation_sites, true,
"Use allocation site info to reduce transitions")
-DEFINE_bool(optimize_constructed_arrays, false,
+DEFINE_bool(optimize_constructed_arrays, true,
"Use allocation site info on constructed arrays")
DEFINE_bool(trace_osr, false, "trace on-stack replacement")
DEFINE_int(stress_runs, 0, "number of stress runs")
Index: src/ia32/code-stubs-ia32.cc
diff --git a/src/ia32/code-stubs-ia32.cc b/src/ia32/code-stubs-ia32.cc
index
325e9b78a457d760baf1b3b4bed98e4588c4c7c2..aa533bf836bffd4c551f894eef6b98b420f2bb5a
100644
--- a/src/ia32/code-stubs-ia32.cc
+++ b/src/ia32/code-stubs-ia32.cc
@@ -4637,7 +4637,6 @@ static void
GenerateRecordCallTargetNoArray(MacroAssembler* masm) {
// megamorphic.
// ebx : cache cell for call target
// edi : the function to call
- ASSERT(!FLAG_optimize_constructed_arrays);
Isolate* isolate = masm->isolate();
Label initialize, done;
@@ -4778,11 +4777,7 @@ void CallFunctionStub::Generate(MacroAssembler*
masm) {
__ j(not_equal, &slow);
if (RecordCallTarget()) {
- if (FLAG_optimize_constructed_arrays) {
- GenerateRecordCallTarget(masm);
- } else {
- GenerateRecordCallTargetNoArray(masm);
- }
+ GenerateRecordCallTargetNoArray(masm);
}
// Fast-case: Just invoke the function.
Index: src/mips/code-stubs-mips.cc
diff --git a/src/mips/code-stubs-mips.cc b/src/mips/code-stubs-mips.cc
index
bd89d44a738acad641d4b425b40ec832af8e91bb..552797adb224d70a3e36b79ec18269ef291811e0
100644
--- a/src/mips/code-stubs-mips.cc
+++ b/src/mips/code-stubs-mips.cc
@@ -4971,7 +4971,6 @@ static void
GenerateRecordCallTargetNoArray(MacroAssembler* masm) {
// megamorphic.
// a1 : the function to call
// a2 : cache cell for call target
- ASSERT(!FLAG_optimize_constructed_arrays);
Label done;
ASSERT_EQ(*TypeFeedbackCells::MegamorphicSentinel(masm->isolate()),
@@ -5114,11 +5113,7 @@ void CallFunctionStub::Generate(MacroAssembler*
masm) {
__ Branch(&slow, ne, a3, Operand(JS_FUNCTION_TYPE));
if (RecordCallTarget()) {
- if (FLAG_optimize_constructed_arrays) {
- GenerateRecordCallTarget(masm);
- } else {
- GenerateRecordCallTargetNoArray(masm);
- }
+ GenerateRecordCallTargetNoArray(masm);
}
// Fast-case: Invoke the function now.
Index: src/x64/code-stubs-x64.cc
diff --git a/src/x64/code-stubs-x64.cc b/src/x64/code-stubs-x64.cc
index
d2ed601a0084709b4ccfff0388227e6a2d9c8a57..5da0990880b7ba88da1e2068768b66a63729addb
100644
--- a/src/x64/code-stubs-x64.cc
+++ b/src/x64/code-stubs-x64.cc
@@ -3672,7 +3672,6 @@ static void
GenerateRecordCallTargetNoArray(MacroAssembler* masm) {
// megamorphic.
// rbx : cache cell for call target
// rdi : the function to call
- ASSERT(!FLAG_optimize_constructed_arrays);
Isolate* isolate = masm->isolate();
Label initialize, done;
@@ -3810,11 +3809,7 @@ void CallFunctionStub::Generate(MacroAssembler*
masm) {
__ j(not_equal, &slow);
if (RecordCallTarget()) {
- if (FLAG_optimize_constructed_arrays) {
- GenerateRecordCallTarget(masm);
- } else {
- GenerateRecordCallTargetNoArray(masm);
- }
+ GenerateRecordCallTargetNoArray(masm);
}
// Fast-case: Just invoke the function.
Index: test/mjsunit/allocation-site-info.js
diff --git a/test/mjsunit/allocation-site-info.js
b/test/mjsunit/allocation-site-info.js
index
d7189932141378b8f06f7312062cd1402e5914ee..45605317fea69bfd116897c75e9a1a08fc5a9bdb
100644
--- a/test/mjsunit/allocation-site-info.js
+++ b/test/mjsunit/allocation-site-info.js
@@ -37,7 +37,7 @@
// support_smi_only_arrays = %HasFastSmiElements(new
Array(1,2,3,4,5,6,7,8));
support_smi_only_arrays = true;
-optimize_constructed_arrays = false;
+optimize_constructed_arrays = true;
if (support_smi_only_arrays) {
print("Tests include smi-only arrays.");
Index: test/mjsunit/regress/regress-crbug-244461.js
diff --git a/test/mjsunit/regress/regress-110509.js
b/test/mjsunit/regress/regress-crbug-244461.js
similarity index 87%
copy from test/mjsunit/regress/regress-110509.js
copy to test/mjsunit/regress/regress-crbug-244461.js
index
132bd233bee32f6c84061049224ea43901dae06a..9c7c2b6c43ab18a991e71fe435609e7a5252f740
100644
--- a/test/mjsunit/regress/regress-110509.js
+++ b/test/mjsunit/regress/regress-crbug-244461.js
@@ -25,17 +25,17 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --allow-natives-syntax
+// Flags: --allow-natives-syntax --smi-only-arrays
+// Flags: --track-allocation-sites
-// Verify that LRandom preserves rsi correctly.
-
-function foo() {
- Math.random();
- new Function("");
+function foo(arg) {
+ var a = arg();
+ return a;
}
-foo();
-foo();
-foo();
+
+foo(Array);
+foo(Array);
%OptimizeFunctionOnNextCall(foo);
-foo();
+// Compilation of foo will crash without the bugfix for 244461
+foo(Array);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
