Revision: 19589
Author: [email protected]
Date: Thu Feb 27 16:59:32 2014 UTC
Log: Merged r19535, r19549, r19586, r19584 into trunk branch.
Fix for a smi stores optimization on x64 with a regression test.
Fix for failing asserts in HBoundsCheck code generation on x64: index
register should be zero extended.
Fix putting of prototype transitions. The length is also subject to GC,
just like entry.
Handle arguments objects in frame when materializing arguments
BUG=345715,345820,347536,347262
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/183353002
http://code.google.com/p/v8/source/detail?r=19589
Added:
/trunk/test/mjsunit/regress/regress-347262.js
/trunk/test/mjsunit/regress/regress-crbug-345715.js
/trunk/test/mjsunit/regress/regress-crbug-345820.js
/trunk/test/mjsunit/regress/regress-put-prototype-transition.js
Modified:
/trunk/src/deoptimizer.cc
/trunk/src/deoptimizer.h
/trunk/src/mark-compact.cc
/trunk/src/objects.cc
/trunk/src/version.cc
/trunk/src/x64/disasm-x64.cc
/trunk/src/x64/lithium-gap-resolver-x64.cc
=======================================
--- /dev/null
+++ /trunk/test/mjsunit/regress/regress-347262.js Thu Feb 27 16:59:32 2014
UTC
@@ -0,0 +1,62 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+(function ArgumentsObjectWithOtherArgumentsInFrame() {
+ function g() {
+ return g.arguments;
+ }
+
+ function f(x) {
+ g();
+ return arguments[0];
+ }
+ f();
+ f();
+ %OptimizeFunctionOnNextCall(f);
+ f();
+})();
+
+
+(function ArgumentsObjectWithOtherArgumentsDeopt() {
+ function g(y) {
+ y.o2 = 2;
+ return g.arguments;
+ }
+
+ function f(x) {
+ var o1 = { o2 : 1 };
+ var a = g(o1);
+ o1.o2 = 3;
+ return arguments[0] + a[0].o2;
+ }
+ f(0);
+ f(0);
+ %OptimizeFunctionOnNextCall(f);
+ assertEquals(3, f(0));
+})();
=======================================
--- /dev/null
+++ /trunk/test/mjsunit/regress/regress-crbug-345715.js Thu Feb 27 16:59:32
2014 UTC
@@ -0,0 +1,26 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+a = {y:1.5};
+a.y = 0;
+b = a.y;
+c = {y:{}};
+
+function f() {
+ return 1;
+}
+
+function g() {
+ var e = {y: b};
+ var d = {x:f()};
+ var d = {x:f()};
+ return [e, d];
+}
+
+g();
+g();
+%OptimizeFunctionOnNextCall(g);
+assertEquals(1, g()[1].x);
=======================================
--- /dev/null
+++ /trunk/test/mjsunit/regress/regress-crbug-345820.js Thu Feb 27 16:59:32
2014 UTC
@@ -0,0 +1,18 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --debug-code
+
+var __v_6 = {};
+__v_6 = new Int32Array(5);
+for (var i = 0; i < __v_6.length; i++) __v_6[i] = 0;
+
+function __f_7(N) {
+ for (var i = -1; i < N; i++) {
+ __v_6[i] = i;
+ }
+}
+__f_7(1);
+%OptimizeFunctionOnNextCall(__f_7);
+__f_7(__v_6.length);
=======================================
--- /dev/null
+++ /trunk/test/mjsunit/regress/regress-put-prototype-transition.js Thu Feb
27 16:59:32 2014 UTC
@@ -0,0 +1,49 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc --stress-compaction
--gc-interval=255
+
+function deepEquals(a, b) { if (a === b) { if (a === 0) return (1 / a) ===
(1 / b); return true; } if (typeof a != typeof b) return false; if (typeof
a == "number") return isNaN(a) && isNaN(b); if (typeof a !== "object" &&
typeof a !== "function") return false; var objectClass = classOf(a); if
(objectClass !== classOf(b)) return false; if (objectClass === "RegExp") {
return (a.toString() === b.toString()); } if (objectClass === "Function")
return false; if (objectClass === "Array") { var elementCount = 0; if
(a.length != b.length) { return false; } for (var i = 0; i < a.length; i++)
{ if (!deepEquals(a[i], b[i])) return false; } return true; } if
(objectClass == "String" || objectClass == "Number" || objectClass
== "Boolean" || objectClass == "Date") { if (a.valueOf() !== b.valueOf())
return false; } return deepObjectEquals(a, b); }
+assertSame = function assertSame(expected, found, name_opt) { if (found
=== expected) { if (expected !== 0 || (1 / expected) == (1 / found))
return; } else if ((expected !== expected) && (found !== found)) { return;
} fail(PrettyPrint(expected), found, name_opt); }; assertEquals = function
assertEquals(expected, found, name_opt) { if (!deepEquals(found, expected))
{ fail(PrettyPrint(expected), found, name_opt); } };
+assertEqualsDelta = function assertEqualsDelta(expected, found, delta,
name_opt) { assertTrue(Math.abs(expected - found) <= delta, name_opt); };
assertArrayEquals = function assertArrayEquals(expected, found, name_opt) {
var start = ""; if (name_opt) { start = name_opt + " - "; }
assertEquals(expected.length, found.length, start + "array length"); if
(expected.length == found.length) { for (var i = 0; i < expected.length;
++i) { assertEquals(expected[i], found[i], start + "array element at
index " + i); } } };
+assertTrue = function assertTrue(value, name_opt) { assertEquals(true,
value, name_opt); };
+assertFalse = function assertFalse(value, name_opt) { assertEquals(false,
value, name_opt); };
+// End stripped down and modified version of mjsunit.js.
+
+var __v_0 = {};
+var __v_1 = {};
+function __f_3() { }
+function __f_4(obj) {
+ for (var __v_2 = 0; __v_2 < 26; __v_2++) {
+ obj["__v_5" + __v_2] = 0;
+ }
+}
+function __f_0(__v_1, __v_6) {
+ (new __f_3()).__proto__ = __v_1;
+}
+%DebugPrint(undefined);
+function __f_1(__v_4, add_first, __v_6, same_map_as) {
+ var __v_1 = __v_4 ? new __f_3() : {};
+ assertTrue(%HasFastProperties(__v_1));
+ if (add_first) {
+ __f_4(__v_1);
+ assertFalse(%HasFastProperties(__v_1));
+ __f_0(__v_1, __v_6);
+ assertTrue(%HasFastProperties(__v_1));
+ } else {
+ __f_0(__v_1, __v_6);
+ assertTrue(%HasFastProperties(__v_1));
+ __f_4(__v_1);
+ assertFalse(%HasFastProperties(__v_1));
+ }
+}
+gc();
+for (var __v_2 = 0; __v_2 < 4; __v_2++) {
+ var __v_6 = ((__v_2 & 2) != 7);
+ var __v_4 = ((__v_2 & 2) != 0);
+ __f_1(__v_4, true, __v_6);
+ var __v_0 = __f_1(__v_4, false, __v_6);
+ __f_1(__v_4, false, __v_6, __v_0);
+}
+__v_5 = {a: 1, b: 2, c: 3};
=======================================
--- /trunk/src/deoptimizer.cc Wed Feb 26 12:50:40 2014 UTC
+++ /trunk/src/deoptimizer.cc Thu Feb 27 16:59:32 2014 UTC
@@ -2992,8 +2992,7 @@
}
case Translation::ARGUMENTS_OBJECT:
- // This can be only emitted for local slots not for argument slots.
- break;
+ return SlotRef::NewArgumentsObject(iterator->Next());
case Translation::CAPTURED_OBJECT: {
return SlotRef::NewDeferredObject(iterator->Next());
@@ -3043,7 +3042,7 @@
break;
}
- UNREACHABLE();
+ FATAL("We should never get here - unexpected deopt info.");
return SlotRef();
}
@@ -3123,9 +3122,8 @@
// the nested slots of captured objects
number_of_slots--;
SlotRef& slot = slot_refs_.last();
- if (slot.Representation() == SlotRef::DEFERRED_OBJECT) {
- number_of_slots += slot.DeferredObjectLength();
- }
+ ASSERT(slot.Representation() != SlotRef::ARGUMENTS_OBJECT);
+ number_of_slots += slot.GetChildrenCount();
if (slot.Representation() == SlotRef::DEFERRED_OBJECT ||
slot.Representation() == SlotRef::DUPLICATE_OBJECT) {
should_deopt = true;
@@ -3179,7 +3177,7 @@
return literal_;
default:
- UNREACHABLE();
+ FATAL("We should never get here - unexpected deopt info.");
return Handle<Object>::null();
}
}
@@ -3209,19 +3207,18 @@
previously_materialized_objects_->get(object_index), isolate);
materialized_objects_.Add(return_value);
- // Now need to skip all nested objects (and possibly read them from
- // the materialization store, too)
+ // Now need to skip all the nested objects (and possibly read them from
+ // the materialization store, too).
for (int i = 0; i < length; i++) {
SlotRef& slot = slot_refs_[current_slot_];
current_slot_++;
- // For nested deferred objects, we need to read its properties
- if (slot.Representation() == SlotRef::DEFERRED_OBJECT) {
- length += slot.DeferredObjectLength();
- }
+ // We need to read all the nested objects - add them to the
+ // number of objects we need to process.
+ length += slot.GetChildrenCount();
- // For nested deferred and duplicate objects, we need to put them into
- // our materialization array
+ // Put the nested deferred/duplicate objects into our materialization
+ // array.
if (slot.Representation() == SlotRef::DEFERRED_OBJECT ||
slot.Representation() == SlotRef::DUPLICATE_OBJECT) {
int nested_object_index = materialized_objects_.length();
@@ -3247,8 +3244,20 @@
case SlotRef::LITERAL: {
return slot.GetValue(isolate);
}
+ case SlotRef::ARGUMENTS_OBJECT: {
+ // We should never need to materialize an arguments object,
+ // but we still need to put something into the array
+ // so that the indexing is consistent.
+ materialized_objects_.Add(isolate->factory()->undefined_value());
+ int length = slot.GetChildrenCount();
+ for (int i = 0; i < length; ++i) {
+ // We don't need the argument, just ignore it
+ GetNext(isolate, lvl + 1);
+ }
+ return isolate->factory()->undefined_value();
+ }
case SlotRef::DEFERRED_OBJECT: {
- int length = slot.DeferredObjectLength();
+ int length = slot.GetChildrenCount();
ASSERT(slot_refs_[current_slot_].Representation() ==
SlotRef::LITERAL ||
slot_refs_[current_slot_].Representation() ==
SlotRef::TAGGED);
@@ -3317,7 +3326,7 @@
break;
}
- UNREACHABLE();
+ FATAL("We should never get here - unexpected deopt slot kind.");
return Handle<Object>::null();
}
=======================================
--- /trunk/src/deoptimizer.h Fri Jan 31 14:01:53 2014 UTC
+++ /trunk/src/deoptimizer.h Thu Feb 27 16:59:32 2014 UTC
@@ -794,7 +794,9 @@
// with the DeferredObjectLength() method
// (the SlotRefs of the nested objects follow
// this SlotRef in the depth-first order.)
- DUPLICATE_OBJECT // Duplicated object of a deferred object.
+ DUPLICATE_OBJECT, // Duplicated object of a deferred object.
+ ARGUMENTS_OBJECT // Arguments object - only used to keep indexing
+ // in sync, it should not be materialized.
};
SlotRef()
@@ -805,6 +807,13 @@
SlotRef(Isolate* isolate, Object* literal)
: literal_(literal, isolate), representation_(LITERAL) { }
+
+ static SlotRef NewArgumentsObject(int length) {
+ SlotRef slot;
+ slot.representation_ = ARGUMENTS_OBJECT;
+ slot.deferred_object_length_ = length;
+ return slot;
+ }
static SlotRef NewDeferredObject(int length) {
SlotRef slot;
@@ -822,7 +831,14 @@
return slot;
}
- int DeferredObjectLength() { return deferred_object_length_; }
+ int GetChildrenCount() {
+ if (representation_ == DEFERRED_OBJECT ||
+ representation_ == ARGUMENTS_OBJECT) {
+ return deferred_object_length_;
+ } else {
+ return 0;
+ }
+ }
int DuplicateObjectId() { return duplicate_object_id_; }
=======================================
--- /trunk/src/mark-compact.cc Wed Feb 26 12:50:40 2014 UTC
+++ /trunk/src/mark-compact.cc Thu Feb 27 16:59:32 2014 UTC
@@ -2618,6 +2618,7 @@
Object* prototype = prototype_transitions->get(proto_offset + i *
step);
Object* cached_map = prototype_transitions->get(map_offset + i * step);
if (IsMarked(prototype) && IsMarked(cached_map)) {
+ ASSERT(!prototype->IsUndefined());
int proto_index = proto_offset + new_number_of_transitions * step;
int map_index = map_offset + new_number_of_transitions * step;
if (new_number_of_transitions != i) {
=======================================
--- /trunk/src/objects.cc Wed Feb 26 12:50:40 2014 UTC
+++ /trunk/src/objects.cc Thu Feb 27 16:59:32 2014 UTC
@@ -11565,7 +11565,7 @@
cache->set(entry + kProtoTransitionPrototypeOffset, *prototype);
cache->set(entry + kProtoTransitionMapOffset, *target_map);
- map->SetNumberOfProtoTransitions(transitions);
+ map->SetNumberOfProtoTransitions(last + 1);
return map;
}
=======================================
--- /trunk/src/version.cc Wed Feb 26 12:50:40 2014 UTC
+++ /trunk/src/version.cc Thu Feb 27 16:59:32 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 24
#define BUILD_NUMBER 35
-#define PATCH_LEVEL 4
+#define PATCH_LEVEL 5
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
=======================================
--- /trunk/src/x64/disasm-x64.cc Wed Feb 26 12:50:40 2014 UTC
+++ /trunk/src/x64/disasm-x64.cc Thu Feb 27 16:59:32 2014 UTC
@@ -1451,7 +1451,8 @@
data += 3;
break;
case OPERAND_DOUBLEWORD_SIZE:
- addr = reinterpret_cast<byte*>(*reinterpret_cast<int32_t*>(data
+ 1));
+ addr =
+ reinterpret_cast<byte*>(*reinterpret_cast<uint32_t*>(data +
1));
data += 5;
break;
case OPERAND_QUADWORD_SIZE:
=======================================
--- /trunk/src/x64/lithium-gap-resolver-x64.cc Mon Jan 20 07:57:28 2014 UTC
+++ /trunk/src/x64/lithium-gap-resolver-x64.cc Thu Feb 27 16:59:32 2014 UTC
@@ -198,7 +198,7 @@
if (cgen_->IsSmiConstant(constant_source)) {
__ Move(dst, cgen_->ToSmi(constant_source));
} else if (cgen_->IsInteger32Constant(constant_source)) {
- __ Set(dst, cgen_->ToInteger32(constant_source));
+ __ Set(dst,
static_cast<uint32_t>(cgen_->ToInteger32(constant_source)));
} else {
__ Move(dst, cgen_->ToHandle(constant_source));
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
