Reviewers: Jakob,
Description:
Correct large packed array length limitation
The length of packed array could be up to kInitialMaxFastElementArray
instead of
(kInitialMaxFastElementArray -1)
BUG=
Please review this at https://codereview.chromium.org/23441080/
SVN Base: git://github.com/v8/v8.git@master
Affected files (+6, -6 lines):
M src/code-stubs-hydrogen.cc
M src/elements.cc
M test/mjsunit/allocation-site-info.js
M test/mjsunit/array-constructor-feedback.js
M test/mjsunit/array-feedback.js
Index: src/code-stubs-hydrogen.cc
diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc
index
0d06209b613db0f9dc46d32dbab532591edd720d..8496e80381bd927497f0f51b31d5dafe917a4e4a
100644
--- a/src/code-stubs-hydrogen.cc
+++ b/src/code-stubs-hydrogen.cc
@@ -661,7 +661,7 @@ HValue*
CodeStubGraphBuilderBase::BuildArraySingleArgumentConstructor(
HConstant* initial_capacity_node = New<HConstant>(initial_capacity);
AddInstruction(initial_capacity_node);
- HInstruction* checked_arg = Add<HBoundsCheck>(argument,
max_alloc_length);
+ HInstruction* checked_arg = Add<HBoundsCheck>(argument, max_alloc_length
+ 1);
IfBuilder if_builder(this);
if_builder.If<HCompareNumericAndBranch>(checked_arg, constant_zero,
Token::EQ);
Index: src/elements.cc
diff --git a/src/elements.cc b/src/elements.cc
index
89621cb3694ad63288f5b1f9556326da5e02dcc5..fffd4701d38b45a3b418045cc39bbc68aadba2b7
100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -1978,7 +1978,7 @@ MUST_USE_RESULT MaybeObject*
ArrayConstructInitializeElements(
Object* obj = (*args)[0];
if (obj->IsSmi()) {
int len = Smi::cast(obj)->value();
- if (len > 0 && len < JSObject::kInitialMaxFastElementArray) {
+ if (len > 0 && len <= JSObject::kInitialMaxFastElementArray) {
ElementsKind elements_kind = array->GetElementsKind();
MaybeObject* maybe_array = array->Initialize(len, len);
if (maybe_array->IsFailure()) return maybe_array;
Index: test/mjsunit/allocation-site-info.js
diff --git a/test/mjsunit/allocation-site-info.js
b/test/mjsunit/allocation-site-info.js
index
dd22f573f0715ff5053b215d2e6825dad90fcded..07aba55ea038e898c5fa16cfda6fdcaf24f99091
100644
--- a/test/mjsunit/allocation-site-info.js
+++ b/test/mjsunit/allocation-site-info.js
@@ -321,9 +321,9 @@ if (support_smi_only_arrays) {
obj = newarraycase_onearg(0, 5);
assertKind(elements_kind.fast_double, obj);
// Now pass a length that forces the dictionary path.
- obj = newarraycase_onearg(100000, 5);
+ obj = newarraycase_onearg(100001, 5);
assertKind(elements_kind.dictionary, obj);
- assertTrue(obj.length == 100000);
+ assertTrue(obj.length == 100001);
// Verify that cross context calls work
var realmA = Realm.current();
Index: test/mjsunit/array-constructor-feedback.js
diff --git a/test/mjsunit/array-constructor-feedback.js
b/test/mjsunit/array-constructor-feedback.js
index
72ff12c08f0f04c28a7bffa1f3311c173a2d24fd..2e2cf522138235f66ce3e5d22bb6d658f2e959cd
100644
--- a/test/mjsunit/array-constructor-feedback.js
+++ b/test/mjsunit/array-constructor-feedback.js
@@ -153,7 +153,7 @@ if (support_smi_only_arrays) {
assertKind(elements_kind.fast, a);
assertOptimized(bar);
// The stub bails out, but the method call should be fine.
- a = bar(100000);
+ a = bar(100001);
assertOptimized(bar);
assertKind(elements_kind.dictionary, a);
Index: test/mjsunit/array-feedback.js
diff --git a/test/mjsunit/array-feedback.js b/test/mjsunit/array-feedback.js
index
6b1cbb3f5f7b08593dd1db50cdc3b89c524cc232..c5da609b45315151679cb1bbc4e62036fa7ec9ac
100644
--- a/test/mjsunit/array-feedback.js
+++ b/test/mjsunit/array-feedback.js
@@ -119,7 +119,7 @@ if (support_smi_only_arrays) {
assertTrue(isHoley(b));
assertKind(elements_kind.fast, b);
- a = create1(100000);
+ a = create1(100001);
assertKind(elements_kind.dictionary, a);
function create3(arg1, arg2, arg3) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
