[v8-dev] [v8] r19979 committed - Merged r19693, r19694, r19847, r19893 into 3.24 branch....

Mon, 17 Mar 2014 03:46:18 -0700 

Revision: 19979
Author:   [email protected]
Date:     Mon Mar 17 10:45:33 2014 UTC
Log:      Merged r19693, r19694, r19847, r19893 into 3.24 branch.

Fix HConstants with Smi-ranged HeapNumber values
Fix for failing asserts in HBoundsCheck code generation on x64: use proper cmp operation width instead of asserting that Integer32 values should be zero extended. Similar to chromium:345820. 

KeyedStoreIC miss didn't handle a transitioning case.

BUG=chromium:349878,349465,350884
LOG=N
[email protected]

Review URL: https://codereview.chromium.org/201763002
http://code.google.com/p/v8/source/detail?r=19979

Added:
 /branches/3.24/test/mjsunit/regress/regress-350884.js
 /branches/3.24/test/mjsunit/regress/regress-crbug-349465.js
 /branches/3.24/test/mjsunit/regress/regress-crbug-349878.js
Modified:
 /branches/3.24/src/hydrogen-instructions.cc
 /branches/3.24/src/ic.cc
 /branches/3.24/src/version.cc
 /branches/3.24/src/x64/lithium-codegen-x64.cc

=======================================
--- /dev/null
+++ /branches/3.24/test/mjsunit/regress/regress-350884.js Mon Mar 17 10:45:33 2014 UTC 
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var obj = new Array(1);
+obj[0] = 0;
+obj[1] = 0;
+function foo(flag_index) {
+  obj[flag_index]++;
+}
+
+// Force dictionary properties on obj.
+obj[-8] = 3;
+foo(1);
+foo(2);
=======================================
--- /dev/null
+++ /branches/3.24/test/mjsunit/regress/regress-crbug-349465.js Mon Mar 17 10:45:33 2014 UTC 
@@ -0,0 +1,17 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --debug-code --use-gvn
+
+function f(a, base) {
+  a[base] = 1;
+  a[base + 4] = 2;
+  a[base] = 3;
+}
+var a1 = new Array(1024);
+var a2 = new Array(128);
+f(a1, 1);
+f(a2, -2);
+%OptimizeFunctionOnNextCall(f);
+f(a1, -2);
=======================================
--- /dev/null
+++ /branches/3.24/test/mjsunit/regress/regress-crbug-349878.js Mon Mar 17 10:45:33 2014 UTC 
@@ -0,0 +1,33 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(a, b) {
+  a == b;
+}
+
+f({}, {});
+
+var a = { y: 1.5 };
+a.y = 777;
+var b = a.y;
+
+function h() {
+  var d = 1;
+  var e = 777;
+  while (d-- > 0) e++;
+  f(1, e);
+}
+
+var global;
+function g() {
+  global = b;
+  return h(b);
+}
+
+g();
+g();
+%OptimizeFunctionOnNextCall(g);
+g();
=======================================
--- /branches/3.24/src/hydrogen-instructions.cc Mon Mar 17 09:49:32 2014 UTC
+++ /branches/3.24/src/hydrogen-instructions.cc Mon Mar 17 10:45:33 2014 UTC
@@ -2549,7 +2549,11 @@
     boolean_value_(integer_value != 0),
     int32_value_(integer_value),
     double_value_(FastI2D(integer_value)) {
-  set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber());
+ // It's possible to create a constant with a value in Smi-range but stored 
+  // in a (pre-existing) HeapNumber. See crbug.com/349878.
+  bool could_be_heapobject = r.IsTagged() && !object.handle().is_null();
+  bool is_smi = has_smi_value_ && !could_be_heapobject;
+  set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
   Initialize(r);
 }

@@ -2569,7 +2573,11 @@
     int32_value_(DoubleToInt32(double_value)),
     double_value_(double_value) {
   has_smi_value_ = has_int32_value_ && Smi::IsValid(int32_value_);
-  set_type(has_smi_value_ ? HType::Smi() : HType::TaggedNumber());
+ // It's possible to create a constant with a value in Smi-range but stored 
+  // in a (pre-existing) HeapNumber. See crbug.com/349878.
+  bool could_be_heapobject = r.IsTagged() && !object.handle().is_null();
+  bool is_smi = has_smi_value_ && !could_be_heapobject;
+  set_type(is_smi ? HType::Smi() : HType::TaggedNumber());
   Initialize(r);
 }

=======================================
--- /branches/3.24/src/ic.cc    Wed Feb 26 08:17:48 2014 UTC
+++ /branches/3.24/src/ic.cc    Mon Mar 17 10:45:33 2014 UTC
@@ -1435,22 +1435,22 @@
       KeyedStoreIC::GetKeyedAccessStoreMode(target()->extra_ic_state());
   Handle<Map> previous_receiver_map = target_receiver_maps.at(0);
   if (state() == MONOMORPHIC) {
- // If the "old" and "new" maps are in the same elements map family, stay 
-      // MONOMORPHIC and use the map for the most generic ElementsKind.
     Handle<Map> transitioned_receiver_map = receiver_map;
     if (IsTransitionStoreMode(store_mode)) {
-      transitioned_receiver_map =
-          ComputeTransitionedMap(receiver, store_mode);
+ transitioned_receiver_map = ComputeTransitionedMap(receiver, store_mode); 
     }
-    if (IsTransitionOfMonomorphicTarget(
+    if (receiver_map.is_identical_to(previous_receiver_map) ||
+        IsTransitionOfMonomorphicTarget(
             MapToType<HeapType>(transitioned_receiver_map, isolate()))) {
-      // Element family is the same, use the "worst" case map.
+ // If the "old" and "new" maps are in the same elements map family, or + // if they at least come from the same origin for a transitioning store, + // stay MONOMORPHIC and use the map for the most generic ElementsKind. 
       store_mode = GetNonTransitioningStoreMode(store_mode);
       return isolate()->stub_cache()->ComputeKeyedStoreElement(
           transitioned_receiver_map, strict_mode(), store_mode);
     } else if (*previous_receiver_map == receiver->map() &&
                old_store_mode == STANDARD_STORE &&
-               (IsGrowStoreMode(store_mode) ||
+               (store_mode == STORE_AND_GROW_NO_TRANSITION ||
                 store_mode == STORE_NO_TRANSITION_IGNORE_OUT_OF_BOUNDS ||
                 store_mode == STORE_NO_TRANSITION_HANDLE_COW)) {
       // A "normal" IC that handles stores can switch to a version that can
=======================================
--- /branches/3.24/src/version.cc       Mon Mar 17 09:49:32 2014 UTC
+++ /branches/3.24/src/version.cc       Mon Mar 17 10:45:33 2014 UTC
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     24
 #define BUILD_NUMBER      35
-#define PATCH_LEVEL       16
+#define PATCH_LEVEL       17
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
=======================================
--- /branches/3.24/src/x64/lithium-codegen-x64.cc Mon Mar 17 09:49:32 2014 UTC +++ /branches/3.24/src/x64/lithium-codegen-x64.cc Mon Mar 17 10:45:33 2014 UTC 
@@ -3999,44 +3999,51 @@


 void LCodeGen::DoBoundsCheck(LBoundsCheck* instr) {
-  if (instr->hydrogen()->skip_check()) return;
+  HBoundsCheck* hinstr = instr->hydrogen();
+  if (hinstr->skip_check()) return;
+
+  Representation representation = hinstr->length()->representation();
+  ASSERT(representation.Equals(hinstr->index()->representation()));
+  ASSERT(representation.IsSmiOrInteger32());

   if (instr->length()->IsRegister()) {
     Register reg = ToRegister(instr->length());
-    if (!instr->hydrogen()->length()->representation().IsSmi()) {
-      __ AssertZeroExtended(reg);
-    }
+
     if (instr->index()->IsConstantOperand()) {
       int32_t constant_index =
           ToInteger32(LConstantOperand::cast(instr->index()));
-      if (instr->hydrogen()->length()->representation().IsSmi()) {
+      if (representation.IsSmi()) {
         __ Cmp(reg, Smi::FromInt(constant_index));
       } else {
-        __ cmpq(reg, Immediate(constant_index));
+        __ cmpl(reg, Immediate(constant_index));
       }
     } else {
       Register reg2 = ToRegister(instr->index());
-      if (!instr->hydrogen()->index()->representation().IsSmi()) {
-        __ AssertZeroExtended(reg2);
+      if (representation.IsSmi()) {
+        __ cmpq(reg, reg2);
+      } else {
+        __ cmpl(reg, reg2);
       }
-      __ cmpq(reg, reg2);
     }
   } else {
     Operand length = ToOperand(instr->length());
     if (instr->index()->IsConstantOperand()) {
       int32_t constant_index =
           ToInteger32(LConstantOperand::cast(instr->index()));
-      if (instr->hydrogen()->length()->representation().IsSmi()) {
+      if (representation.IsSmi()) {
         __ Cmp(length, Smi::FromInt(constant_index));
       } else {
-        __ cmpq(length, Immediate(constant_index));
+        __ cmpl(length, Immediate(constant_index));
       }
     } else {
-      __ cmpq(length, ToRegister(instr->index()));
+      if (representation.IsSmi()) {
+        __ cmpq(length, ToRegister(instr->index()));
+      } else {
+        __ cmpl(length, ToRegister(instr->index()));
+      }
     }
   }
-  Condition condition =
-      instr->hydrogen()->allow_equality() ? below : below_equal;
+  Condition condition = hinstr->allow_equality() ? below : below_equal;
   ApplyCheckIf(condition, instr);
 }

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to