Revision: 16217
Author: [email protected]
Date: Mon Aug 19 11:18:02 2013 UTC
Log: Merged r16150, r16174, r16175 into 3.19 branch.
Fix regressions triggered by map invalidation during graph creation.
Fix bug in HPhi::SimplifyConstantInput.
Use Cell instead of PropertyCell in DoCheckFunction (in case of new space
object).
[email protected]
BUG=269679
Review URL: https://codereview.chromium.org/22984009
http://code.google.com/p/v8/source/detail?r=16217
Added:
/branches/3.19/test/mjsunit/regress/regress-map-invalidation-1.js
/branches/3.19/test/mjsunit/regress/regress-map-invalidation-2.js
/branches/3.19/test/mjsunit/regress/regress-phi-truncation.js
Modified:
/branches/3.19/src/arm/lithium-codegen-arm.cc
/branches/3.19/src/assert-scope.h
/branches/3.19/src/compiler.cc
/branches/3.19/src/compiler.h
/branches/3.19/src/hydrogen-instructions.cc
/branches/3.19/src/hydrogen-instructions.h
/branches/3.19/src/mips/lithium-codegen-mips.cc
/branches/3.19/src/objects.cc
/branches/3.19/src/version.cc
=======================================
--- /dev/null
+++ /branches/3.19/test/mjsunit/regress/regress-map-invalidation-1.js Mon
Aug 19 11:18:02 2013 UTC
@@ -0,0 +1,49 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+var c = { x: 2, y: 1 };
+
+function h() {
+ try { // do not optimize this function
+ var o = { x: 2.2, y: 1.1 };
+ return 2;
+ } catch (e) { }
+}
+
+function f() {
+ for (var i = 0; i < 100000; i++) {
+ var n = c.x + h();
+ assertEquals(4, n);
+ }
+ var o2 = [{ x: 2.5, y:1 }];
+ return o2;
+}
+
+f();
+
=======================================
--- /dev/null
+++ /branches/3.19/test/mjsunit/regress/regress-map-invalidation-2.js Mon
Aug 19 11:18:02 2013 UTC
@@ -0,0 +1,49 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+var c = { x: 2, y: 1 };
+
+function g() {
+ var outer = { foo: 1 };
+ function f() {
+ var n = outer.foo;
+ for (var i = 0; i < 100000; i++) {
+ n += c.x + outer.foo;
+ }
+ var o2 = [{ x: 1.5, y: 1 }];
+ return o2;
+ }
+ return f;
+}
+
+var fun = g();
+fun();
+assertTrue(%GetOptimizationStatus(fun) != 2);
+fun();
+
=======================================
--- /dev/null
+++ /branches/3.19/test/mjsunit/regress/regress-phi-truncation.js Mon Aug
19 11:18:02 2013 UTC
@@ -0,0 +1,89 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function test(fun, expectation) {
+ assertEquals(1, fun(1));
+ %OptimizeFunctionOnNextCall(fun);
+ assertEquals(expectation, fun(0));
+}
+
+test(function(x) {
+ var a = x ? true : false;
+ return a | 0;
+}, 0);
+
+test(function(x) {
+ var a = x ? true : true;
+ return a | 0;
+}, 1);
+
+test(function(x) {
+ var a = x ? true : "0";
+ return a | 0;
+}, 0);
+
+test(function(x) {
+ var a = x ? true : "1";
+ return a | 0;
+}, 1);
+
+test(function(x) {
+ var a = x ? true : "-1";
+ return a | 0;
+}, -1);
+
+test(function(x) {
+ var a = x ? true : "-0";
+ return a | 0;
+}, 0);
+
+test(function(x) {
+ var a = x ? true : "0x1234";
+ return a | 0;
+}, 0x1234);
+
+test(function(x) {
+ var a = x ? true : { valueOf: function() { return 2; } };
+ return a | 0;
+}, 2);
+
+test(function(x) {
+ var a = x ? true : undefined;
+ return a | 0;
+}, 0);
+
+test(function(x) {
+ var a = x ? true : null;
+ return a | 0;
+}, 0);
+
+test(function(x) {
+ var a = x ? true : "";
+ return a | 0;
+}, 0);
=======================================
--- /branches/3.19/src/arm/lithium-codegen-arm.cc Mon Aug 5 09:53:12 2013
UTC
+++ /branches/3.19/src/arm/lithium-codegen-arm.cc Mon Aug 19 11:18:02 2013
UTC
@@ -5249,7 +5249,7 @@
AllowDeferredHandleDereference smi_check;
if (isolate()->heap()->InNewSpace(*target)) {
Register reg = ToRegister(instr->value());
- Handle<Cell> cell = isolate()->factory()->NewPropertyCell(target);
+ Handle<Cell> cell = isolate()->factory()->NewCell(target);
__ mov(ip, Operand(Handle<Object>(cell)));
__ ldr(ip, FieldMemOperand(ip, Cell::kValueOffset));
__ cmp(reg, ip);
=======================================
--- /branches/3.19/src/assert-scope.h Thu Jun 13 14:40:17 2013 UTC
+++ /branches/3.19/src/assert-scope.h Mon Aug 19 11:18:02 2013 UTC
@@ -41,6 +41,7 @@
HANDLE_ALLOCATION_ASSERT,
HANDLE_DEREFERENCE_ASSERT,
DEFERRED_HANDLE_DEREFERENCE_ASSERT,
+ CODE_DEPENDENCY_CHANGE_ASSERT,
LAST_PER_THREAD_ASSERT_TYPE
};
@@ -170,6 +171,14 @@
typedef PerThreadAssertScope<DEFERRED_HANDLE_DEREFERENCE_ASSERT, true>
AllowDeferredHandleDereference;
+// Scope to document where we do not expect deferred handles to be
dereferenced.
+typedef PerThreadAssertScope<CODE_DEPENDENCY_CHANGE_ASSERT, false>
+ DisallowCodeDependencyChange;
+
+// Scope to introduce an exception to DisallowDeferredHandleDereference.
+typedef PerThreadAssertScope<CODE_DEPENDENCY_CHANGE_ASSERT, true>
+ AllowCodeDependencyChange;
+
} } // namespace v8::internal
#endif // V8_ASSERT_SCOPE_H_
=======================================
--- /branches/3.19/src/compiler.cc Thu Jun 13 14:40:17 2013 UTC
+++ /branches/3.19/src/compiler.cc Mon Aug 19 11:18:02 2013 UTC
@@ -114,6 +114,7 @@
return;
}
mode_ = V8::UseCrankshaft() ? mode : NONOPT;
+ abort_due_to_dependency_ = false;
if (script_->type()->value() == Script::TYPE_NATIVE) {
MarkAsNative();
}
@@ -426,6 +427,12 @@
return AbortOptimization();
}
}
+
+ if (info()->HasAbortedDueToDependencyChange()) {
+ info_->set_bailout_reason("bailed out due to dependency change");
+ info_->AbortOptimization();
+ return SetLastStatus(BAILED_OUT);
+ }
return SetLastStatus(SUCCEEDED);
}
@@ -434,6 +441,7 @@
DisallowHeapAllocation no_allocation;
DisallowHandleAllocation no_handles;
DisallowHandleDereference no_deref;
+ DisallowCodeDependencyChange no_dependency_change;
ASSERT(last_status() == SUCCEEDED);
Timer t(this, &time_taken_to_optimize_);
@@ -454,6 +462,8 @@
OptimizingCompiler::Status OptimizingCompiler::GenerateAndInstallCode() {
ASSERT(last_status() == SUCCEEDED);
+ ASSERT(!info()->HasAbortedDueToDependencyChange());
+ DisallowCodeDependencyChange no_dependency_change;
{ // Scope for timer.
Timer timer(this, &time_taken_to_codegen_);
ASSERT(chunk_ != NULL);
@@ -794,6 +804,7 @@
// was flushed. By setting the code object last we avoid this.
Handle<SharedFunctionInfo> shared = info->shared_info();
Handle<Code> code = info->code();
+ CHECK(code->kind() == Code::FUNCTION);
Handle<JSFunction> function = info->closure();
Handle<ScopeInfo> scope_info =
ScopeInfo::Create(info->scope(), info->zone());
@@ -1038,7 +1049,7 @@
// If crankshaft succeeded, install the optimized code else install
// the unoptimized code.
OptimizingCompiler::Status status = optimizing_compiler->last_status();
- if (info->HasAbortedDueToDependentMap()) {
+ if (info->HasAbortedDueToDependencyChange()) {
info->set_bailout_reason("bailed out due to dependent map");
status = optimizing_compiler->AbortOptimization();
} else if (status != OptimizingCompiler::SUCCEEDED) {
=======================================
--- /branches/3.19/src/compiler.h Wed Jun 12 22:31:22 2013 UTC
+++ /branches/3.19/src/compiler.h Mon Aug 19 11:18:02 2013 UTC
@@ -291,12 +291,14 @@
return object_wrapper_;
}
- void AbortDueToDependentMap() {
- mode_ = DEPENDENT_MAP_ABORT;
+ void AbortDueToDependencyChange() {
+ ASSERT(!isolate()->optimizing_compiler_thread()->IsOptimizerThread());
+ abort_due_to_dependency_ = true;
}
- bool HasAbortedDueToDependentMap() {
- return mode_ == DEPENDENT_MAP_ABORT;
+ bool HasAbortedDueToDependencyChange() {
+ ASSERT(!isolate()->optimizing_compiler_thread()->IsOptimizerThread());
+ return abort_due_to_dependency_;
}
protected:
@@ -316,8 +318,7 @@
BASE,
OPTIMIZE,
NONOPT,
- STUB,
- DEPENDENT_MAP_ABORT
+ STUB
};
void Initialize(Isolate* isolate, Mode mode, Zone* zone);
@@ -391,6 +392,9 @@
Mode mode_;
BailoutId osr_ast_id_;
+ // Flag whether compilation needs to be aborted due to dependency change.
+ bool abort_due_to_dependency_;
+
// The zone from which the compilation pipeline working on this
// CompilationInfo allocates.
Zone* zone_;
=======================================
--- /branches/3.19/src/hydrogen-instructions.cc Mon Aug 5 09:53:12 2013 UTC
+++ /branches/3.19/src/hydrogen-instructions.cc Mon Aug 19 11:18:02 2013 UTC
@@ -3635,10 +3635,10 @@
Representation::Integer32());
integer_input->InsertAfter(operand);
SetOperandAt(i, integer_input);
- } else if (operand == graph->GetConstantTrue()) {
- SetOperandAt(i, graph->GetConstant1());
- } else {
- // This catches |false|, |undefined|, strings and objects.
+ } else if (operand->HasBooleanValue()) {
+ SetOperandAt(i, operand->BooleanValue() ? graph->GetConstant1()
+ : graph->GetConstant0());
+ } else if (operand->ImmortalImmovable()) {
SetOperandAt(i, graph->GetConstant0());
}
}
=======================================
--- /branches/3.19/src/hydrogen-instructions.h Mon Aug 5 09:53:12 2013 UTC
+++ /branches/3.19/src/hydrogen-instructions.h Mon Aug 19 11:18:02 2013 UTC
@@ -3314,6 +3314,7 @@
return HasStringValue() && is_internalized_string_;
}
+ bool HasBooleanValue() const { return type_from_value_.IsBoolean(); }
bool BooleanValue() const { return boolean_value_; }
virtual intptr_t Hashcode() {
=======================================
--- /branches/3.19/src/mips/lithium-codegen-mips.cc Mon Aug 5 09:53:12
2013 UTC
+++ /branches/3.19/src/mips/lithium-codegen-mips.cc Mon Aug 19 11:18:02
2013 UTC
@@ -5179,7 +5179,7 @@
AllowDeferredHandleDereference smi_check;
if (isolate()->heap()->InNewSpace(*target)) {
Register reg = ToRegister(instr->value());
- Handle<Cell> cell = isolate()->factory()->NewPropertyCell(target);
+ Handle<Cell> cell = isolate()->factory()->NewCell(target);
__ li(at, Operand(Handle<Object>(cell)));
__ lw(at, FieldMemOperand(at, Cell::kValueOffset));
DeoptimizeIf(ne, instr->environment(), reg,
=======================================
--- /branches/3.19/src/objects.cc Mon Jul 22 11:32:11 2013 UTC
+++ /branches/3.19/src/objects.cc Mon Aug 19 11:18:02 2013 UTC
@@ -11265,6 +11265,7 @@
void DependentCode::DeoptimizeDependentCodeGroup(
Isolate* isolate,
DependentCode::DependencyGroup group) {
+ ASSERT(AllowCodeDependencyChange::IsAllowed());
DisallowHeapAllocation no_allocation_scope;
DependentCode::GroupStartIndexes starts(this);
int start = starts.at(group);
@@ -11277,7 +11278,7 @@
code->set_marked_for_deoptimization(true);
} else {
CompilationInfo* info = compilation_info_at(i);
- info->AbortDueToDependentMap();
+ info->AbortDueToDependencyChange();
}
}
// Compact the array by moving all subsequent groups to fill in the new
holes.
=======================================
--- /branches/3.19/src/version.cc Tue Aug 13 12:02:58 2013 UTC
+++ /branches/3.19/src/version.cc Mon Aug 19 11:18:02 2013 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 19
#define BUILD_NUMBER 18
-#define PATCH_LEVEL 19
+#define PATCH_LEVEL 20
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
