[v8-dev] Avoid unintentional optimization of hot builtins by TurboFan. (issue 817293005 by mstarzinger@chromium.org)

[mstarzinger]

Reviewers: titzer,

Description:
Avoid unintentional optimization of hot builtins by TurboFan.
R=tit...@chromium.org
TEST=mjsunit/regress/regress-crbug-451016
BUG=chromium:451016
LOG=N

Please review this at https://codereview.chromium.org/817293005/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+14, -8 lines):
  M src/bailout-reason.h
  M src/bootstrapper.cc
  M src/builtins.h
  M src/compiler/pipeline.cc
  A + test/mjsunit/regress/regress-crbug-451016.js


Index: src/bailout-reason.h
diff --git a/src/bailout-reason.h b/src/bailout-reason.h
index  
9f1795bd7af7ef5450596e199bd13c94a422e3d1..69f65be0dbd91c4f56f09f87c0284607d68dc6fa  
100644
--- a/src/bailout-reason.h
+++ b/src/bailout-reason.h
@@ -40,6 +40,7 @@ namespace internal {
     "BinaryStub_GenerateFloatingPointCode")                                     
\
    
V(kBothRegistersWereSmisInSelectNonSmi,                                       
\
     "Both registers were smis in  
SelectNonSmi")                                \
+  V(kBuiltinFunctionCannotBeOptimized, "Builtin function cannot be  
optimized") \
    
V(kCallToAJavaScriptRuntimeFunction,                                          
\
     "Call to a JavaScript runtime  
function")                                   \
    
V(kCannotTranslatePositionInChangedArea,                                      
\
Index: src/bootstrapper.cc
diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc
index  
edd58e252a5339b7964cfd5f1cc95019dd34c240..e77dd97ebf12ae9f50781351b8c8df26a1fb9e1f  
100644
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -2510,6 +2510,10 @@ bool  
Genesis::InstallJSBuiltins(Handle<JSBuiltinsObject> builtins) {
     Handle<Object> function_object = Object::GetProperty(
         isolate(), builtins, Builtins::GetName(id)).ToHandleChecked();
     Handle<JSFunction> function =  
Handle<JSFunction>::cast(function_object);
+    // TODO(mstarzinger): This is just a temporary hack to make TurboFan  
work,
+    // the correct solution is to restore the context register after  
invoking
+    // builtins from full-codegen.
+     
function->shared()->DisableOptimization(kBuiltinFunctionCannotBeOptimized);
     builtins->set_javascript_builtin(id, *function);
     if (!Compiler::EnsureCompiled(function, CLEAR_EXCEPTION)) {
       return false;
Index: src/builtins.h
diff --git a/src/builtins.h b/src/builtins.h
index  
a872c7f4222bec23b3f0e41b33519ce49ef3a8ea..91f674191b749788801b7b5684dae5c8a8fcd84b  
100644
--- a/src/builtins.h
+++ b/src/builtins.h
@@ -272,7 +272,6 @@ class Builtins {
     return names_[index];
   }
   static int GetArgumentsCount(JavaScript id) { return  
javascript_argc_[id]; }
-  Handle<Code> GetCode(JavaScript id, bool* resolved);
   static int NumberOfJavaScriptBuiltins() { return id_count; }

   bool is_initialized() const { return initialized_; }
Index: src/compiler/pipeline.cc
diff --git a/src/compiler/pipeline.cc b/src/compiler/pipeline.cc
index  
73aa9627b329e5402496309e54896ae4969ea7d4..1b0843bf2d895263b3222eebf97b991285858e21  
100644
--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@@ -8,7 +8,6 @@
 #include <sstream>

 #include "src/base/platform/elapsed-timer.h"
-#include "src/bootstrapper.h"  // TODO(mstarzinger): Only temporary.
 #include "src/compiler/ast-graph-builder.h"
 #include "src/compiler/ast-loop-assignment-analyzer.h"
 #include "src/compiler/basic-block-instrumentor.h"
@@ -777,7 +776,10 @@ Handle<Code> Pipeline::GenerateCode() {
   // TODO(mstarzinger): This is just a temporary hack to make TurboFan  
work,
   // the correct solution is to restore the context register after invoking
   // builtins from full-codegen.
-  if (isolate()->bootstrapper()->IsActive()) return Handle<Code>::null();
+  if (info()->shared_info()->disable_optimization_reason() ==
+      kBuiltinFunctionCannotBeOptimized) {
+    return Handle<Code>::null();
+  }

   ZonePool zone_pool(isolate());
   SmartPointer<PipelineStatistics> pipeline_statistics;
Index: test/mjsunit/regress/regress-crbug-451016.js
diff --git a/test/mjsunit/regress/regress-449070.js  
b/test/mjsunit/regress/regress-crbug-451016.js
similarity index 58%
copy from test/mjsunit/regress/regress-449070.js
copy to test/mjsunit/regress/regress-crbug-451016.js
index  
7a0f0a838cdd25817ab6a2d8f63c1ef9fbe6e526..93152c36650b02c4404cd50d63ec60ea75319586  
100644
--- a/test/mjsunit/regress/regress-449070.js
+++ b/test/mjsunit/regress/regress-crbug-451016.js
@@ -1,10 +1,10 @@
 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-//
-// Flags: --allow-natives-syntax

-try {
-  %NormalizeElements(this);
-} catch(e) {
+// Flags: --turbo-filter=STRICT_EQUALS
+
+var value = NaN;
+for (i = 0; i < 256; i++) {
+  value === "A" || value === "B";
 }


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.