Reviewers: danno,
Message:
Hi Danno, here is the CL we discussed,
--Michael
Description:
HCheckFunction is needed to protect new array constructors in
crankshafted code.
BUG=
Please review this at https://codereview.chromium.org/16944006/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/hydrogen.cc
M test/mjsunit/allocation-site-info.js
A + test/mjsunit/array-constructor-feedback.js
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
3d0d5505aea05800177fdce62d85f9cafe7dcaef..e86d216120284823466b697d5a4a27715f3477d2
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8919,9 +8919,11 @@ void HOptimizedGraphBuilder::VisitCallNew(CallNew*
expr) {
} else {
// The constructor function is both an operand to the instruction and
an
// argument to the construct call.
+ Handle<JSFunction> array_function =
+ Handle<JSFunction>(isolate()->global_context()->array_function(),
+ isolate());
bool use_call_new_array = FLAG_optimize_constructed_arrays &&
- !(expr->target().is_null()) &&
- *(expr->target()) == isolate()->global_context()->array_function();
+ expr->target().is_identical_to(array_function);
CHECK_ALIVE(VisitArgument(expr->expression()));
HValue* constructor = HPushArgument::cast(Top())->argument();
@@ -8929,6 +8931,7 @@ void HOptimizedGraphBuilder::VisitCallNew(CallNew*
expr) {
HCallNew* call;
if (use_call_new_array) {
Handle<Cell> cell = expr->allocation_info_cell();
+ AddInstruction(new(zone()) HCheckFunction(constructor,
array_function));
call = new(zone()) HCallNewArray(context, constructor,
argument_count,
cell);
} else {
Index: test/mjsunit/allocation-site-info.js
diff --git a/test/mjsunit/allocation-site-info.js
b/test/mjsunit/allocation-site-info.js
index
f533d617384992694ed52113cf961c623f651bdf..69ee83ec765cda0b35119ac7b068744232a3c4e3
100644
--- a/test/mjsunit/allocation-site-info.js
+++ b/test/mjsunit/allocation-site-info.js
@@ -315,7 +315,8 @@ if (support_smi_only_arrays) {
instanceof_check(realmBArray);
%OptimizeFunctionOnNextCall(instanceof_check);
instanceof_check(Array);
- instanceof_check(realmBArray);
assertTrue(2 != %GetOptimizationStatus(instanceof_check));
+ instanceof_check(realmBArray);
+ assertTrue(1 != %GetOptimizationStatus(instanceof_check));
}
}
Index: test/mjsunit/array-constructor-feedback.js
diff --git a/test/mjsunit/regress/regress-crbug-245480.js
b/test/mjsunit/array-constructor-feedback.js
similarity index 54%
copy from test/mjsunit/regress/regress-crbug-245480.js
copy to test/mjsunit/array-constructor-feedback.js
index
4769486403cc43c39b243b499c763eadaaed9578..d723121eef4ac6ea5c4410f98660a0d8deaadc6c
100644
--- a/test/mjsunit/regress/regress-crbug-245480.js
+++ b/test/mjsunit/array-constructor-feedback.js
@@ -1,4 +1,4 @@
-// Copyright 2013 the V8 project authors. All rights reserved.
+// Copyright 2012 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
@@ -37,6 +37,7 @@
// support_smi_only_arrays = %HasFastSmiElements(new
Array(1,2,3,4,5,6,7,8));
support_smi_only_arrays = true;
+optimize_constructed_arrays = true;
if (support_smi_only_arrays) {
print("Tests include smi-only arrays.");
@@ -44,47 +45,62 @@ if (support_smi_only_arrays) {
print("Tests do NOT include smi-only arrays.");
}
-function isHoley(obj) {
- if (%HasFastHoleyElements(obj)) return true;
- return false;
+if (optimize_constructed_arrays) {
+ print("Tests include constructed array optimizations.");
+} else {
+ print("Tests do NOT include constructed array optimizations.");
}
-function assertHoley(obj, name_opt) {
- assertEquals(true, isHoley(obj), name_opt);
+var elements_kind = {
+ fast_smi_only : 'fast smi only elements',
+ fast : 'fast elements',
+ fast_double : 'fast double elements',
+ dictionary : 'dictionary elements',
+ external_byte : 'external byte elements',
+ external_unsigned_byte : 'external unsigned byte elements',
+ external_short : 'external short elements',
+ external_unsigned_short : 'external unsigned short elements',
+ external_int : 'external int elements',
+ external_unsigned_int : 'external unsigned int elements',
+ external_float : 'external float elements',
+ external_double : 'external double elements',
+ external_pixel : 'external pixel elements'
}
-function assertNotHoley(obj, name_opt) {
- assertEquals(false, isHoley(obj), name_opt);
+function getKind(obj) {
+ if (%HasFastSmiElements(obj)) return elements_kind.fast_smi_only;
+ if (%HasFastObjectElements(obj)) return elements_kind.fast;
+ if (%HasFastDoubleElements(obj)) return elements_kind.fast_double;
+ if (%HasDictionaryElements(obj)) return elements_kind.dictionary;
}
-if (support_smi_only_arrays) {
- function create_array(arg) {
- return new Array(arg);
- }
-
- obj = create_array(0);
- assertNotHoley(obj);
- create_array(0);
- %OptimizeFunctionOnNextCall(create_array);
- obj = create_array(10);
- assertHoley(obj);
+function isHoley(obj) {
+ if (%HasFastHoleyElements(obj)) return true;
+ return false;
}
-// The code below would assert in debug or crash in release
-function f(length) {
- return new Array(length)
+function assertKind(expected, obj, name_opt) {
+ if (!support_smi_only_arrays &&
+ expected == elements_kind.fast_smi_only) {
+ expected = elements_kind.fast;
+ }
+ assertEquals(expected, getKind(obj), name_opt);
}
-f(0);
-f(0);
-%OptimizeFunctionOnNextCall(f);
-var a = f(10);
+if (support_smi_only_arrays && optimize_constructed_arrays) {
+ function bar0(t) {
+ return new t();
+ }
-function g(a) {
- return a[0];
+ a = bar0(Array);
+ a[0] = 3.5;
+ b = bar0(Array);
+ assertKind(elements_kind.fast_double, b);
+ %OptimizeFunctionOnNextCall(bar0);
+ b = bar0(Array);
+ assertKind(elements_kind.fast_double, b);
+ assertTrue(2 != %GetOptimizationStatus(bar0));
+ // bar0 should deopt
+ b = bar0(Object);
+ assertTrue(1 != %GetOptimizationStatus(bar0));
}
-
-var b = [0];
-g(b);
-g(b);
-assertEquals(undefined, g(a));
\ No newline at end of file
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
