[v8-dev] Fix dictionary element load to pass correct elements kind. (issue 166653005)

[ulan]

Reviewers: danno, Igor Sheludko,

Message:
PTAL
Description:
Fix dictionary element load to pass correct elements kind.

Using FAST_SMI_ELEMENTS triggers optimization on 64-bit architectures that  
load
only the higher 32 bits of the element. If the element is a pointer to  
undefined
that has 0 in the higher half than it is erroneously treated as SMI 0.

BUG=v8:3158
LOG=N
TEST=mjsunit/sparse-array-reverse,mjsunit/regress/regress-3158.js

Please review this at https://codereview.chromium.org/166653005/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+25, -3 lines):
  M src/hydrogen.cc
  A test/mjsunit/regress/regress-3158.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
ff987797afdbd65c44870451304ba014267c1259..6978c0a5a54a1e2711d1c6bcf3b9261ede564258  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -1451,7 +1451,7 @@ HValue*  
HGraphBuilder::BuildUncheckedDictionaryElementLoadHelper(

   HValue* candidate_key = Add<HLoadKeyed>(elements, key_index,
                                           static_cast<HValue*>(NULL),
-                                          FAST_SMI_ELEMENTS);
+                                          FAST_ELEMENTS);

   IfBuilder key_compare(this);
   key_compare.IfNot<HCompareObjectEqAndBranch>(key, candidate_key);
@@ -1477,7 +1477,7 @@ HValue*  
HGraphBuilder::BuildUncheckedDictionaryElementLoadHelper(

     HValue* details = Add<HLoadKeyed>(elements, details_index,
                                       static_cast<HValue*>(NULL),
-                                      FAST_SMI_ELEMENTS);
+                                      FAST_ELEMENTS);
     IfBuilder details_compare(this);
     details_compare.If<HCompareNumericAndBranch>(details,
                                                  graph()->GetConstant0(),
@@ -1547,7 +1547,7 @@ HValue*  
HGraphBuilder::BuildUncheckedDictionaryElementLoad(HValue* receiver,
       elements,
       Add<HConstant>(NameDictionary::kCapacityIndex),
       static_cast<HValue*>(NULL),
-      FAST_SMI_ELEMENTS);
+      FAST_ELEMENTS);

   HValue* mask = AddUncasted<HSub>(capacity, graph()->GetConstant1());
   mask->ChangeRepresentation(Representation::Integer32());
Index: test/mjsunit/regress/regress-3158.js
diff --git a/test/mjsunit/regress/regress-3158.js  
b/test/mjsunit/regress/regress-3158.js
new file mode 100644
index  
0000000000000000000000000000000000000000..c3ea9b59c0cb81621f7f789fa7f235945689f773
--- /dev/null
+++ b/test/mjsunit/regress/regress-3158.js
@@ -0,0 +1,22 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+Array.prototype[0] = 'a';
+delete Array.prototype[0];
+
+function foo(a, i) {
+  return a[i];
+}
+
+var a = new Array(100000);
+a[3] = 'x';
+
+foo(a, 3);
+foo(a, 3);
+foo(a, 3);
+%OptimizeFunctionOnNextCall(foo);
+foo(a, 3);
+Array.prototype[0] = 'a';
+var z = foo(a, 0);
+assertEquals('a', z);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.