Reviewers: Yang,
Description:
Temporarily disable optimization for StringWrappers to use native valueOf
V8 stores this information directly in the map of the wrapper, however,
it is not invalidated when the prototype of the wrapper is changed, so
once the bit is set, it is no longer possible to override valueOf.
This bug is currently hidden in Chrome since the i18n extension always
modifies the String.prototype, and so the optimization never kicks in.
Disabling the optimization temporarily allows for snapshotting i18n now.
BUG=v8:2855
[email protected]
TEST=mjsunit/regress/regress-2855.js
Please review this at https://codereview.chromium.org/23060030/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/arm/full-codegen-arm.cc
M src/ia32/full-codegen-ia32.cc
M src/mips/full-codegen-mips.cc
M src/x64/full-codegen-x64.cc
A + test/mjsunit/regress/regress-2855.js
Index: src/arm/full-codegen-arm.cc
diff --git a/src/arm/full-codegen-arm.cc b/src/arm/full-codegen-arm.cc
index
b73006a17d99136d69d5b8a782ae3134fdd20675..22432965482de6498f3e19a0e0a6c107ec9b92f4
100644
--- a/src/arm/full-codegen-arm.cc
+++ b/src/arm/full-codegen-arm.cc
@@ -3079,11 +3079,6 @@ void
FullCodeGenerator::EmitIsStringWrapperSafeForDefaultValueOf(
__ cmp(r2, r3);
__ b(ne, if_false);
- // Set the bit in the map to indicate that it has been checked safe for
- // default valueOf and set true result.
- __ ldrb(r2, FieldMemOperand(r1, Map::kBitField2Offset));
- __ orr(r2, r2, Operand(1 << Map::kStringWrapperSafeForDefaultValueOf));
- __ strb(r2, FieldMemOperand(r1, Map::kBitField2Offset));
__ jmp(if_true);
PrepareForBailoutBeforeSplit(expr, true, if_true, if_false);
Index: src/ia32/full-codegen-ia32.cc
diff --git a/src/ia32/full-codegen-ia32.cc b/src/ia32/full-codegen-ia32.cc
index
f08a269e85b576e46b7036fdbd6febc94732687b..bfe1f2231250ab025cd551d235e0cf170f58a869
100644
--- a/src/ia32/full-codegen-ia32.cc
+++ b/src/ia32/full-codegen-ia32.cc
@@ -3030,10 +3030,6 @@ void
FullCodeGenerator::EmitIsStringWrapperSafeForDefaultValueOf(
ContextOperand(edx,
Context::STRING_FUNCTION_PROTOTYPE_MAP_INDEX));
__ j(not_equal, if_false);
- // Set the bit in the map to indicate that it has been checked safe for
- // default valueOf and set true result.
- __ or_(FieldOperand(ebx, Map::kBitField2Offset),
- Immediate(1 << Map::kStringWrapperSafeForDefaultValueOf));
__ jmp(if_true);
PrepareForBailoutBeforeSplit(expr, true, if_true, if_false);
Index: src/mips/full-codegen-mips.cc
diff --git a/src/mips/full-codegen-mips.cc b/src/mips/full-codegen-mips.cc
index
b60502c9a5bffa8bdb23daa3ea27fe425b5ab123..9da8e549709368ab51c0879f10d24ee9cfeb2345
100644
--- a/src/mips/full-codegen-mips.cc
+++ b/src/mips/full-codegen-mips.cc
@@ -3099,11 +3099,6 @@ void
FullCodeGenerator::EmitIsStringWrapperSafeForDefaultValueOf(
__ lw(a3, ContextOperand(a3,
Context::STRING_FUNCTION_PROTOTYPE_MAP_INDEX));
__ Branch(if_false, ne, a2, Operand(a3));
- // Set the bit in the map to indicate that it has been checked safe for
- // default valueOf and set true result.
- __ lbu(a2, FieldMemOperand(a1, Map::kBitField2Offset));
- __ Or(a2, a2, Operand(1 << Map::kStringWrapperSafeForDefaultValueOf));
- __ sb(a2, FieldMemOperand(a1, Map::kBitField2Offset));
__ jmp(if_true);
PrepareForBailoutBeforeSplit(expr, true, if_true, if_false);
Index: src/x64/full-codegen-x64.cc
diff --git a/src/x64/full-codegen-x64.cc b/src/x64/full-codegen-x64.cc
index
6333e87bea1b6c2ed82cd2b4ea153dd0cc917890..9f2074c58c435921e8ef9295f90ca28df69a12bc
100644
--- a/src/x64/full-codegen-x64.cc
+++ b/src/x64/full-codegen-x64.cc
@@ -3007,10 +3007,6 @@ void
FullCodeGenerator::EmitIsStringWrapperSafeForDefaultValueOf(
__ cmpq(rcx,
ContextOperand(rdx,
Context::STRING_FUNCTION_PROTOTYPE_MAP_INDEX));
__ j(not_equal, if_false);
- // Set the bit in the map to indicate that it has been checked safe for
- // default valueOf and set true result.
- __ or_(FieldOperand(rbx, Map::kBitField2Offset),
- Immediate(1 << Map::kStringWrapperSafeForDefaultValueOf));
__ jmp(if_true);
PrepareForBailoutBeforeSplit(expr, true, if_true, if_false);
Index: test/mjsunit/regress/regress-2855.js
diff --git a/test/mjsunit/elements-transition-and-store.js
b/test/mjsunit/regress/regress-2855.js
similarity index 85%
copy from test/mjsunit/elements-transition-and-store.js
copy to test/mjsunit/regress/regress-2855.js
index
7a07b3eeca312c7a68df14c054bb069ed0a1c421..a7c76865a4c8fe58df2bf1c815b08a8e56ac9f8c
100644
--- a/test/mjsunit/elements-transition-and-store.js
+++ b/test/mjsunit/regress/regress-2855.js
@@ -25,17 +25,17 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --notrack-allocation-sites
-
-function foo(a, v) {
- a[0] = v;
+function foo(a) {
+ for (var i = 0; i < 100; ++i)
+ a = new String(a);
return a;
}
-for (var i = 0; i < 3; ++i) {
- var a = Array();
- a = foo(a, 1.5);
- assertEquals(a[0], 1.5);
- a = foo(a, 2);
- assertEquals(a[0], 2);
+var expected = "hello";
+for (var i = 0; i < 4; ++i) {
+ if (i == 2) {
+ String.prototype.valueOf = function() { return 42; }
+ expected = "42";
+ }
+ assertEquals(expected, "" + foo("hello"));
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
