Reviewers: Michael Starzinger,
Description:
Fix of argument materialization of captured heap numbers.
The escape analysis calculates the number of slots in an object as
no-of-slots = object-size / pointer-size. This gives 3 slots for
heap numbers on 32-bit architectures (one slot for the map, two for
the double value); however, my argument materialization code assumed
just two slots (map + value). Since Hydrogen allocates heap numbers
quite rarely, it is hard to produce a more meaningful repro than the
one provided by Clusterfuzz. Any suggestions are welcome.
The fix is simple - we just read out all extra slots (beyond the map
and the double) for heap numbers.
[email protected]
BUG=
Please review this at https://codereview.chromium.org/196283004/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+22, -13 lines):
M src/deoptimizer.cc
A + test/mjsunit/regress/regress-351315.js
Index: src/deoptimizer.cc
diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index
1f645e41cc6d7c18063b623178d4fcfc197dcfc8..5e4ae5e47e2f1c71cc96440d24c50cecb592a0af
100644
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -3287,6 +3287,13 @@ Handle<Object> SlotRefValueBuilder::GetNext(Isolate*
isolate, int lvl) {
// tagged and skip materializing the HeapNumber explicitly.
Handle<Object> object = GetNext(isolate, lvl + 1);
materialized_objects_.Add(object);
+ // On 32-bit architectures, there is an extra slot there because
+ // the escape analysis calculates the number of slots as
+ // object-size/pointer-size. To account for this, we read out
+ // any extra slots.
+ for (int i = 0; i < length - 2; i++) {
+ GetNext(isolate, lvl + 1);
+ }
return object;
}
case JS_OBJECT_TYPE: {
@@ -3341,7 +3348,7 @@ Handle<Object> SlotRefValueBuilder::GetNext(Isolate*
isolate, int lvl) {
void SlotRefValueBuilder::Finish(Isolate* isolate) {
- // We should have processed all slot
+ // We should have processed all the slots
ASSERT(slot_refs_.length() == current_slot_);
if (materialized_objects_.length() > prev_materialized_count_) {
Index: test/mjsunit/regress/regress-351315.js
diff --git a/test/mjsunit/regress/comparison-in-effect-context-deopt.js
b/test/mjsunit/regress/regress-351315.js
similarity index 84%
copy from test/mjsunit/regress/comparison-in-effect-context-deopt.js
copy to test/mjsunit/regress/regress-351315.js
index
b28dff73a745dfc7445a6c093380c56f51b3fb76..e2580fc34beab641655ba2a58c3e09e007890fd0
100644
--- a/test/mjsunit/regress/comparison-in-effect-context-deopt.js
+++ b/test/mjsunit/regress/regress-351315.js
@@ -27,21 +27,23 @@
// Flags: --allow-natives-syntax
-function lazyDeopt() {
- %DeoptimizeFunction(test);
- return "deopt";
-}
+function f_13(x, y, z) { }
+
+v_5 = f_13.bind({}, -7);
-var x = { toString : lazyDeopt };
+function f_0(z) {
+ return %NewObjectFromBound(v_5);
+}
-function g(x) {
- return "result";
+function f_8(z2, y2) {
+ var v_0 = { f1 : 0.5, f2 : 0.25 };
+ return f_0(v_0);
}
-function test(x) {
- return g(void(x == ""));
+function f_12(f, args) {
+ f.apply(this, args);
+ %OptimizeFunctionOnNextCall(f);
+ f.apply(this, args);
}
-test(x);
-%OptimizeFunctionOnNextCall(test);
-assertEquals("result", test(x));
+f_12(f_8, [6, 4]);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
