[v8-dev] [v8] r19387 committed - Fix dictionary element load to pass correct elements kind....

codesite-noreply Fri, 14 Feb 2014 07:55:26 -0800

Revision: 19387
Author:   [email protected]
Date:     Fri Feb 14 15:52:24 2014 UTC
Log:      Fix dictionary element load to pass correct elements kind.

Using FAST_SMI_ELEMENTS triggers optimization on 64-bit architectures thatloadonly the higher 32 bits of the element. If the element is a pointer toundefined

that has 0 in the higher half than it is erroneously treated as SMI 0.

BUG=v8:3158
LOG=N
TEST=mjsunit/sparse-array-reverse,mjsunit/regress/regress-3158.js
[email protected], [email protected]

Review URL: https://codereview.chromium.org/166653005
http://code.google.com/p/v8/source/detail?r=19387

Added:
 /branches/bleeding_edge/test/mjsunit/regress/regress-3158.js
Modified:
 /branches/bleeding_edge/src/hydrogen.cc
 /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc
 /branches/bleeding_edge/test/mjsunit/mjsunit.status

=======================================
--- /dev/null

+++ /branches/bleeding_edge/test/mjsunit/regress/regress-3158.js Fri Feb 1415:52:24 2014 UTC

@@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+Array.prototype[0] = 'a';
+delete Array.prototype[0];
+
+function foo(a, i) {
+  return a[i];
+}
+
+var a = new Array(100000);
+a[3] = 'x';
+
+foo(a, 3);
+foo(a, 3);
+foo(a, 3);
+%OptimizeFunctionOnNextCall(foo);
+foo(a, 3);
+Array.prototype[0] = 'a';
+var z = foo(a, 0);
+assertEquals('a', z);
=======================================
--- /branches/bleeding_edge/src/hydrogen.cc     Fri Feb 14 14:13:06 2014 UTC
+++ /branches/bleeding_edge/src/hydrogen.cc     Fri Feb 14 15:52:24 2014 UTC
@@ -1451,7 +1451,7 @@

   HValue* candidate_key = Add<HLoadKeyed>(elements, key_index,
                                           static_cast<HValue*>(NULL),
-                                          FAST_SMI_ELEMENTS);
+                                          FAST_ELEMENTS);

   IfBuilder key_compare(this);
   key_compare.IfNot<HCompareObjectEqAndBranch>(key, candidate_key);
@@ -1477,7 +1477,7 @@

     HValue* details = Add<HLoadKeyed>(elements, details_index,
                                       static_cast<HValue*>(NULL),
-                                      FAST_SMI_ELEMENTS);
+                                      FAST_ELEMENTS);
     IfBuilder details_compare(this);
     details_compare.If<HCompareNumericAndBranch>(details,
                                                  graph()->GetConstant0(),
@@ -1547,7 +1547,7 @@
       elements,
       Add<HConstant>(NameDictionary::kCapacityIndex),
       static_cast<HValue*>(NULL),
-      FAST_SMI_ELEMENTS);
+      FAST_ELEMENTS);

   HValue* mask = AddUncasted<HSub>(capacity, graph()->GetConstant1());
   mask->ChangeRepresentation(Representation::Integer32());
=======================================

--- /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc Thu Feb 1316:09:28 2014 UTC+++ /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc Fri Feb 1415:52:24 2014 UTC

@@ -2781,6 +2781,12 @@
   Representation representation = access.representation();
   if (representation.IsSmi() &&
       instr->hydrogen()->representation().IsInteger32()) {
+#ifdef DEBUG
+    Register scratch = kScratchRegister;
+    __ Load(scratch, FieldOperand(object, offset), representation);
+    __ AssertSmi(scratch);
+#endif
+
     // Read int value directly from upper half of the smi.
     STATIC_ASSERT(kSmiTag == 0);
     STATIC_ASSERT(kSmiTagSize + kSmiShiftSize == 32);
@@ -3026,6 +3032,17 @@
   if (representation.IsInteger32() &&
       hinstr->elements_kind() == FAST_SMI_ELEMENTS) {
     ASSERT(!requires_hole_check);
+#ifdef DEBUG
+    Register scratch = kScratchRegister;
+    __ Load(scratch,
+            BuildFastArrayOperand(instr->elements(),
+                                  key,
+                                  FAST_ELEMENTS,
+                                  offset,
+                                  instr->additional_index()),
+            Representation::Smi());
+    __ AssertSmi(scratch);
+#endif
     // Read int value directly from upper half of the smi.
     STATIC_ASSERT(kSmiTag == 0);
     STATIC_ASSERT(kSmiTagSize + kSmiShiftSize == 32);
=======================================

--- /branches/bleeding_edge/test/mjsunit/mjsunit.status Thu Feb 13 15:49:012014 UTC+++ /branches/bleeding_edge/test/mjsunit/mjsunit.status Fri Feb 14 15:52:242014 UTC

@@ -182,11 +182,6 @@

   # BUG(v8:3156): Fails on gc stress bots.

'compiler/concurrent-invalidate-transition-map': [PASS, ['gc_stress ==True', FAIL]],

-  # BUG(v8:3157): Fails on gc stress bots.
-  'sparse-array-reverse': [PASS, ['gc_stress == True', FAIL]],
-
-  # BUG(v8:3158): Fails on no_snap debug bots.
-  'sparse-array-reverse': [PASS, ['mode == debug', FAIL]],
 }],  # 'arch == a64'

 ['arch == a64 and mode == debug and simulator_run == True', {

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

---You received this message because you are subscribed to the Google Groups "v8-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[v8-dev] [v8] r19387 committed - Fix dictionary element load to pass correct elements kind....

Reply via email to