[v8-dev] Re: Fix JSArray-specific length lookup in polymorphic array handling (issue 20295005)

[jkummerow]

Reviewers: Yang,

Message:
Committed patchset #1 manually as r15884 (presubmit successful).
Description:
Fix JSArray-specific length lookup in polymorphic array handling

BUG=chromium:263276
R=yang...@chromium.org

Committed: http://code.google.com/p/v8/source/detail?r=15884

Please review this at https://codereview.chromium.org/20295005/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/hydrogen.cc
  A + test/mjsunit/regress/regress-crbug-263276.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
7a761a392e78c77034c553748747606ad4e21a4d..97a66790e47d1ed41a0bd102d9331bac0041b658  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -5701,7 +5701,7 @@ HValue*  
HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
             elements, isolate()->factory()->fixed_array_map(),
             zone(), top_info(), mapcompare));
       }
-      if (map->IsJSArray()) {
+      if (map->instance_type() == JS_ARRAY_TYPE) {
         HInstruction* length = AddLoad(object,  
HObjectAccess::ForArrayLength(),
                                        mapcompare, Representation::Smi());
         length->set_type(HType::Smi());
Index: test/mjsunit/regress/regress-crbug-263276.js
diff --git a/test/mjsunit/array-non-smi-length.js  
b/test/mjsunit/regress/regress-crbug-263276.js
similarity index 83%
copy from test/mjsunit/array-non-smi-length.js
copy to test/mjsunit/regress/regress-crbug-263276.js
index  
23a25ee797bd68690ad2a7ce26a9135e23b486e2..05aa94cc857136d070093e026ef3daa6d98189c0  
100644
--- a/test/mjsunit/array-non-smi-length.js
+++ b/test/mjsunit/regress/regress-crbug-263276.js
@@ -27,20 +27,20 @@

 // Flags: --allow-natives-syntax

-function TestNonSmiArrayLength() {
-  function f(a) {
-    return a.length+1;
-  }
+var array1 = [];
+array1.foo = true;

-  var a = [];
-  a.length = 0xFFFF;
-  assertSame(0x10000, f(a));
-  assertSame(0x10000, f(a));
+var array2 = [];
+array2.bar = true;

-  %OptimizeFunctionOnNextCall(f);
-  a.length = 0xFFFFFFFF;
-  assertSame(0x100000000, f(a));
+function bad(array) {
+  array[array.length] = 1;
 }

-TestNonSmiArrayLength();
-
+bad(array1);
+bad(array1);
+bad(array2);  // Length is now 1.
+bad(array2);  // Length is now 2.
+%OptimizeFunctionOnNextCall(bad);
+bad(array2);  // Length is now 3.
+assertEquals(3, array2.length);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.