Reviewers: Toon Verwaest,
Description:
Merged r18483, r18484 into 3.23 branch.
Fix selection of popular pages in store buffer.
Correctly handle instances without elements in polymorphic keyed load/store.
BUG=331444,331416
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/140703002/
SVN Base: https://v8.googlecode.com/svn/branches/3.23
Affected files (+38, -28 lines):
M src/store-buffer.cc
M src/stub-cache.cc
M src/version.cc
A + test/mjsunit/regress/regress-331416.js
A + test/mjsunit/regress/regress-331444.js
Index: src/store-buffer.cc
diff --git a/src/store-buffer.cc b/src/store-buffer.cc
index
22a546742c85f376839ef68528728cd69bb3cc53..e89eb1bfed4a6a3803858ec13cffface8cea3689
100644
--- a/src/store-buffer.cc
+++ b/src/store-buffer.cc
@@ -224,7 +224,7 @@ void StoreBuffer::ExemptPopularPages(int
prime_sample_step, int threshold) {
containing_chunk = MemoryChunk::FromAnyPointerAddress(heap_, addr);
}
int old_counter = containing_chunk->store_buffer_counter();
- if (old_counter == threshold) {
+ if (old_counter >= threshold) {
containing_chunk->set_scan_on_scavenge(true);
created_new_scan_on_scavenge_pages = true;
}
Index: src/stub-cache.cc
diff --git a/src/stub-cache.cc b/src/stub-cache.cc
index
987c16119e267d0dfb57459fc1a0958d58ddbf6c..689eeaef1537a91f9ebeac0c7bb2516ad84f27e9
100644
--- a/src/stub-cache.cc
+++ b/src/stub-cache.cc
@@ -1667,6 +1667,8 @@ void
KeyedLoadStubCompiler::CompileElementHandlers(MapHandleList* receiver_maps,
if ((receiver_map->instance_type() & kNotStringTag) == 0) {
cached_stub = isolate()->builtins()->KeyedLoadIC_String();
+ } else if (receiver_map->instance_type() < FIRST_JS_RECEIVER_TYPE) {
+ cached_stub = isolate()->builtins()->KeyedLoadIC_Slow();
} else {
bool is_js_array = receiver_map->instance_type() == JS_ARRAY_TYPE;
ElementsKind elements_kind = receiver_map->elements_kind();
@@ -1711,6 +1713,8 @@ Handle<Code>
KeyedStoreStubCompiler::CompileStoreElementPolymorphic(
transitioned_map->elements_kind(),
is_js_array,
store_mode()).GetCode(isolate());
+ } else if (receiver_map->instance_type() < FIRST_JS_RECEIVER_TYPE) {
+ cached_stub = isolate()->builtins()->KeyedStoreIC_Slow();
} else {
if (receiver_map->has_fast_elements() ||
receiver_map->has_external_array_elements()) {
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
99fc587e0142888a63d643351c3d9945796c77b7..45e5ebce9ed844b24f94c81e4d8af249f73d7149
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 23
#define BUILD_NUMBER 17
-#define PATCH_LEVEL 8
+#define PATCH_LEVEL 9
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-331416.js
diff --git a/test/mjsunit/regress/regress-polymorphic-store.js
b/test/mjsunit/regress/regress-331416.js
similarity index 77%
copy from test/mjsunit/regress/regress-polymorphic-store.js
copy to test/mjsunit/regress/regress-331416.js
index
4723a7f4343bb79daf5283325ee5c1082abefa79..0c60fced14e1c185919985fd011c9ca46d93ff3f
100644
--- a/test/mjsunit/regress/regress-polymorphic-store.js
+++ b/test/mjsunit/regress/regress-331416.js
@@ -1,4 +1,4 @@
-// Copyright 2013 the V8 project authors. All rights reserved.
+// Copyright 2014 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
@@ -27,22 +27,26 @@
// Flags: --allow-natives-syntax
-var o1 = {};
-o1.f1 = function() { return 10; };
-o1.x = 5;
-o1.y = 2;
-var o2 = {};
-o2.x = 5;
-o2.y = 5;
-
-function store(o, v) {
- o.y = v;
+function load(a, i) {
+ return a[i];
}
+load([1, 2, 3], "length");
+load(3);
+load([1, 2, 3], 3);
+load(0, 0);
+%OptimizeFunctionOnNextCall(load);
+assertEquals(2, load([1, 2, 3], 1));
+assertEquals(undefined, load(0, 0));
-store(o2, 0);
-store(o1, 0);
-store(o2, 0);
+function store(a, i, x) {
+ a[i] = x;
+}
+store([1, 2, 3], "length", 3);
+store(3);
+store([1, 2, 3], 3, 3);
+store(0, 0, 1);
%OptimizeFunctionOnNextCall(store);
-store(o1, 10);
-assertEquals(5, o1.x);
-assertEquals(10, o1.y);
+var a = [1, 2, 3];
+store(a, 1, 1);
+assertEquals(1, a[1]);
+store(0, 0, 1);
Index: test/mjsunit/regress/regress-331444.js
diff --git a/test/mjsunit/regress/regress-3027.js
b/test/mjsunit/regress/regress-331444.js
similarity index 85%
copy from test/mjsunit/regress/regress-3027.js
copy to test/mjsunit/regress/regress-331444.js
index
c7ebd539b685763ae30c778922c484d64ae44e6b..c78d6fb71b7c455abfcd1450d80b5c8a6dcb6e38
100644
--- a/test/mjsunit/regress/regress-3027.js
+++ b/test/mjsunit/regress/regress-331444.js
@@ -1,4 +1,4 @@
-// Copyright 2013 the V8 project authors. All rights reserved.
+// Copyright 2014 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
@@ -25,18 +25,20 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Test to exceed the Heap::MaxRegularSpaceAllocationSize with an array
-// constructor call taking many arguments.
+// Flags: --expose-gc
function boom() {
var args = [];
- for (var i = 0; i < 125000; i++) {
+ for (var i = 0; i < 125000; i++)
args.push(i);
- }
return Array.apply(Array, args);
}
-
var array = boom();
-
-assertEquals(125000, array.length);
-assertEquals(124999, array[124999]);
+function fib(n) {
+ var f0 = 0, f1 = 1;
+ for (; n > 0; n = n - 1) {
+ f0 + f1;
+ f0 = array;
+ }
+}
+fib(12);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
