Reviewers: Toon Verwaest,
Message:
PTAL
Description:
Avoid fast short-cut in Map::GeneralizeRepresentation() for literals with
non-simple transitions.
It started showing after r25253.
BUG=v8:3687
Please review this at https://codereview.chromium.org/715313003/
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+22, -12 lines):
M src/objects.cc
A + test/mjsunit/regress/regress-3687.js
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
01b4a1aca09f61e9504b67a41f7f6abb66971e39..e6c46432dc5eee76b216f7d791751af2d0feb68b
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2471,9 +2471,13 @@ Handle<Map>
Map::GeneralizeRepresentation(Handle<Map> old_map,
// modification to the object, because the default uninitialized value
for
// representation None can be overwritten by both smi and tagged values.
// Doubles, however, would require a box allocation.
- if (old_representation.IsNone() &&
- !new_representation.IsNone() &&
- !new_representation.IsDouble()) {
+ // Note that if the map has transitions that do not share descriptors we
+ // can't use this shortcut because field type and representation must be
+ // updated in all the transitions from this map.
+ if (old_representation.IsNone() && !new_representation.IsNone() &&
+ !new_representation.IsDouble() &&
+ (!old_map->HasTransitionArray() ||
+ old_map->transitions()->IsSimpleTransition())) {
DCHECK(old_details.type() == FIELD);
DCHECK(old_descriptors->GetFieldType(modify_index)->NowIs(
HeapType::None()));
Index: test/mjsunit/regress/regress-3687.js
diff --git a/test/mjsunit/regress/regress-crbug-357330.js
b/test/mjsunit/regress/regress-3687.js
similarity index 56%
copy from test/mjsunit/regress/regress-crbug-357330.js
copy to test/mjsunit/regress/regress-3687.js
index
b3edf00843e1a9d202212c24d96dc3ad5d027f12..e1df1b4e1d3dbef376a13a2e80e7fb543ee639b9
100644
--- a/test/mjsunit/regress/regress-crbug-357330.js
+++ b/test/mjsunit/regress/regress-3687.js
@@ -4,13 +4,19 @@
// Flags: --allow-natives-syntax
-function f(foo) {
- var g;
- true ? (g = foo + 0) : g = null;
- if (null != g) {}
-};
+var t1 = { f1: 0 };
+var t2 = { f2: 0 };
-f(1.4);
-f(1.4);
-%OptimizeFunctionOnNextCall(f);
-f(1.4);
+var z = {
+ x: {
+ x: t1,
+ y: {
+ x: {},
+ z1: {
+ x: t2,
+ y: 1
+ }
+ }
+ },
+ z2: 0
+};
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
