Reviewers: Michael Starzinger,
Description:
[turbofan] Work around negative parameter count.
BUG=chromium:500824
LOG=n
[email protected]
Please review this at https://codereview.chromium.org/1186333002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+18, -9 lines):
M src/compiler/typer.cc
A + test/mjsunit/regress/regress-crbug-500824.js
Index: src/compiler/typer.cc
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index
94b9d6d1bb118461dddac3aebc72f0b74a48b9bf..ba81c0f20e840d18b336a50df9344b1296720409
100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -2410,6 +2410,10 @@ Type* Typer::Visitor::TypeConstant(Handle<Object>
value) {
int const arity =
JSFunction::cast(*value)->shared()->internal_formal_parameter_count();
switch (arity) {
+ case SharedFunctionInfo::kDontAdaptArgumentsSentinel:
+ // Some smart optimization at work... &%$!&@+$!
+ // https://code.google.com/p/chromium/issues/detail?id=500824
+ return Type::Any(zone());
case 0:
return typer_->cache_->Get(kAnyFunc0);
case 1:
@@ -2419,6 +2423,7 @@ Type* Typer::Visitor::TypeConstant(Handle<Object>
value) {
case 3:
return typer_->cache_->Get(kAnyFunc3);
default: {
+ DCHECK_LT(4, arity);
Type** const params = zone()->NewArray<Type*>(arity);
std::fill(¶ms[0], ¶ms[arity], Type::Any(zone()));
return Type::Function(Type::Any(zone()), arity, params, zone());
Index: test/mjsunit/regress/regress-crbug-500824.js
diff --git a/test/mjsunit/regress/regress-460937.js
b/test/mjsunit/regress/regress-crbug-500824.js
similarity index 51%
copy from test/mjsunit/regress/regress-460937.js
copy to test/mjsunit/regress/regress-crbug-500824.js
index
cd57f93328beb1e2bab4e814afb3445e6843abe0..08d0d107cad78c876d6f92e30c9159c3bb10d76a
100644
--- a/test/mjsunit/regress/regress-460937.js
+++ b/test/mjsunit/regress/regress-crbug-500824.js
@@ -4,16 +4,20 @@
// Flags: --allow-natives-syntax
-function f() {
- var a = new Array(100000);
- var i = 0;
- while (!%HasFastDoubleElements(a)) {
- a[i] = i;
- i += 0.1;
- }
- a[1] = 1.5;
+function get_thrower() {
+ "use strict";
+ return Object.getOwnPropertyDescriptor(arguments, "callee").get;
}
-f();
+var f = (function(v) {
+ "use asm";
+ function fun() {
+ switch (v) {}
+ }
+ return {
+ fun: fun
+ };
+})(get_thrower()).fun;
+
%OptimizeFunctionOnNextCall(f);
f();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
