[v8-dev] FastCloneShallowArrayStub should not be used it the length of the array is too big as it could even... (issue 300283003)

[ishell]

Reviewers: danno,

Message:
PTAL
Description:
FastCloneShallowArrayStub should not be used it the length of the array is  
too
big as it could eventually exceed the allowed size limit for manually folded
allocations.

Please review this at https://codereview.chromium.org/300283003/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+13, -11 lines):
  M src/arm/full-codegen-arm.cc
  M src/arm64/full-codegen-arm64.cc
  M src/code-stubs.h
  M src/hydrogen.cc
  M src/ia32/full-codegen-ia32.cc
  M src/mips/full-codegen-mips.cc
  M src/x64/full-codegen-x64.cc
  M src/x87/full-codegen-x87.cc


Index: src/arm/full-codegen-arm.cc
diff --git a/src/arm/full-codegen-arm.cc b/src/arm/full-codegen-arm.cc
index  
ccde8b6b227901c07fd5be6e9beb1d5537400963..5e3b62bf121d743a1903de347b0088cfb79958d1  
100644
--- a/src/arm/full-codegen-arm.cc
+++ b/src/arm/full-codegen-arm.cc
@@ -1802,7 +1802,7 @@ void  
FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
   __ ldr(r3, FieldMemOperand(r3, JSFunction::kLiteralsOffset));
   __ mov(r2, Operand(Smi::FromInt(expr->literal_index())));
   __ mov(r1, Operand(constant_elements));
-  if (expr->depth() > 1) {
+  if (expr->depth() > 1 || length > JSObject::kInitialMaxFastElementArray)  
{
     __ mov(r0, Operand(Smi::FromInt(flags)));
     __ Push(r3, r2, r1, r0);
     __ CallRuntime(Runtime::kHiddenCreateArrayLiteral, 4);
Index: src/arm64/full-codegen-arm64.cc
diff --git a/src/arm64/full-codegen-arm64.cc  
b/src/arm64/full-codegen-arm64.cc
index  
1dcdf3c1f9d2678934527149154814ecb3ae4563..fb6cb079711670cc2da44b6e3b45194bfa34954b  
100644
--- a/src/arm64/full-codegen-arm64.cc
+++ b/src/arm64/full-codegen-arm64.cc
@@ -1805,7 +1805,7 @@ void  
FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
   __ Ldr(x3, FieldMemOperand(x3, JSFunction::kLiteralsOffset));
   __ Mov(x2, Smi::FromInt(expr->literal_index()));
   __ Mov(x1, Operand(constant_elements));
-  if (expr->depth() > 1) {
+  if (expr->depth() > 1 || length > JSObject::kInitialMaxFastElementArray)  
{
     __ Mov(x0, Smi::FromInt(flags));
     __ Push(x3, x2, x1, x0);
     __ CallRuntime(Runtime::kHiddenCreateArrayLiteral, 4);
Index: src/code-stubs.h
diff --git a/src/code-stubs.h b/src/code-stubs.h
index  
520a40509da50a8e5127526ad61dbb85d366aef8..c7fc94496307a45e8e12e87109597fafd03d208e  
100644
--- a/src/code-stubs.h
+++ b/src/code-stubs.h
@@ -586,9 +586,6 @@ class FastNewContextStub V8_FINAL : public  
HydrogenCodeStub {

 class FastCloneShallowArrayStub : public HydrogenCodeStub {
  public:
-  // Maximum length of copied elements array.
-  static const int kMaximumInlinedCloneLength = 8;
-
   FastCloneShallowArrayStub(Isolate* isolate,
                             AllocationSiteMode allocation_site_mode)
       : HydrogenCodeStub(isolate),
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
4afa65e74dd087325bf323a3b1cb180b0e5ed274..c1cb28f7b7e7f3f8111b5bebafb348f1efc1a885  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -2525,8 +2525,7 @@ void HGraphBuilder::BuildCopyElements(HValue* array,
       capacity->IsConstant() &&
       HConstant::cast(capacity)->HasInteger32Value()) {
     int constant_candidate = HConstant::cast(capacity)->Integer32Value();
-    if (constant_candidate <=
-        FastCloneShallowArrayStub::kMaximumInlinedCloneLength) {
+    if (constant_candidate <= kElementLoopUnrollThreshold) {
       constant_capacity = constant_candidate;
     }
   }
@@ -2701,6 +2700,12 @@ HValue*  
HGraphBuilder::BuildCloneShallowArrayNonEmpty(HValue* boilerplate,
   extra->ClearFlag(HValue::kCanOverflow);
   extra = AddUncasted<HAdd>(extra,  
Add<HConstant>(FixedArray::kHeaderSize));
   extra->ClearFlag(HValue::kCanOverflow);
+  // This function implicitly relies on the fact that the
+  // FastCloneShallowArrayStub is called only for literals shorter than
+  // JSObject::kInitialMaxFastElementArray and therefore the size of the
+  // resulting folded allocation will always be in allowed range.
+  // Can't add HBoundsCheck here because otherwise the stub will eager a  
frame.
+
   HValue* elements = NULL;
   HValue* result = BuildCloneShallowArrayCommon(boilerplate,
       allocation_site, extra, &elements, mode);
Index: src/ia32/full-codegen-ia32.cc
diff --git a/src/ia32/full-codegen-ia32.cc b/src/ia32/full-codegen-ia32.cc
index  
88dad86da8379d1b09526661876cf8286bc33a31..aa1af8e3ffd1e77384543bb85a312f703e535647  
100644
--- a/src/ia32/full-codegen-ia32.cc
+++ b/src/ia32/full-codegen-ia32.cc
@@ -1739,7 +1739,7 @@ void  
FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
     allocation_site_mode = DONT_TRACK_ALLOCATION_SITE;
   }

-  if (expr->depth() > 1) {
+  if (expr->depth() > 1 || length > JSObject::kInitialMaxFastElementArray)  
{
     __ mov(ebx, Operand(ebp, JavaScriptFrameConstants::kFunctionOffset));
     __ push(FieldOperand(ebx, JSFunction::kLiteralsOffset));
     __ push(Immediate(Smi::FromInt(expr->literal_index())));
Index: src/mips/full-codegen-mips.cc
diff --git a/src/mips/full-codegen-mips.cc b/src/mips/full-codegen-mips.cc
index  
7310eee88a4e2ec7952cd6346403b109cf928447..97df4714581319b29b0f1d7e9bf70ee96cc349b6  
100644
--- a/src/mips/full-codegen-mips.cc
+++ b/src/mips/full-codegen-mips.cc
@@ -1815,7 +1815,7 @@ void  
FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
   __ lw(a3, FieldMemOperand(a3, JSFunction::kLiteralsOffset));
   __ li(a2, Operand(Smi::FromInt(expr->literal_index())));
   __ li(a1, Operand(constant_elements));
-  if (expr->depth() > 1) {
+  if (expr->depth() > 1 || length > JSObject::kInitialMaxFastElementArray)  
{
     __ li(a0, Operand(Smi::FromInt(flags)));
     __ Push(a3, a2, a1, a0);
     __ CallRuntime(Runtime::kHiddenCreateArrayLiteral, 4);
Index: src/x64/full-codegen-x64.cc
diff --git a/src/x64/full-codegen-x64.cc b/src/x64/full-codegen-x64.cc
index  
97c9c5cdebc0ef9b35bd9293a7f49ec090491a11..a031a59eae531f2bd6b606c292eb433824add4de  
100644
--- a/src/x64/full-codegen-x64.cc
+++ b/src/x64/full-codegen-x64.cc
@@ -1776,7 +1776,7 @@ void  
FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
     allocation_site_mode = DONT_TRACK_ALLOCATION_SITE;
   }

-  if (expr->depth() > 1) {
+  if (expr->depth() > 1 || length > JSObject::kInitialMaxFastElementArray)  
{
     __ movp(rbx, Operand(rbp, JavaScriptFrameConstants::kFunctionOffset));
     __ Push(FieldOperand(rbx, JSFunction::kLiteralsOffset));
     __ Push(Smi::FromInt(expr->literal_index()));
Index: src/x87/full-codegen-x87.cc
diff --git a/src/x87/full-codegen-x87.cc b/src/x87/full-codegen-x87.cc
index  
006383d4d1974087dbbd62f8d2cd11a2b48395ad..ef7f567730cbc8a18849703b1da64b259d2a141f  
100644
--- a/src/x87/full-codegen-x87.cc
+++ b/src/x87/full-codegen-x87.cc
@@ -1736,7 +1736,7 @@ void  
FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
     allocation_site_mode = DONT_TRACK_ALLOCATION_SITE;
   }

-  if (expr->depth() > 1) {
+  if (expr->depth() > 1 || length > JSObject::kInitialMaxFastElementArray)  
{
     __ mov(ebx, Operand(ebp, JavaScriptFrameConstants::kFunctionOffset));
     __ push(FieldOperand(ebx, JSFunction::kLiteralsOffset));
     __ push(Immediate(Smi::FromInt(expr->literal_index())));


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.