Updates:
Status: Assigned
Owner: [email protected]
Comment #1 on issue 2306 by [email protected]: Unexpected bounds-check
bailout accesing Int8Array
http://code.google.com/p/v8/issues/detail?id=2306
I think it is related to https://chromiumcodereview.appspot.com/10831049
and the fix landed afterwards
https://chromiumcodereview.appspot.com/10829456/. I build my hypothesis on
the following line from the deopt:
0xbffb435c: [top + 16] <- 0x49e3b77d ; ebx 0x49e3b77d <Number: 1799618>
which indicates that index is a tagged HeapNumber, not a smi.
Here is a somewhat artificial example I came up with:
function lhu(ram,a) { return ram[a + 0]; }
var arr = new Int8Array(8*1024*1024);
function HeapNumber(x, y) { return x - y; }
var number8 = HeapNumber(8.8, 0.8); // this should be equal to precisely 8.
lhu(arr, {valueOf: function () { return 0; }}); // make add ic to go to a
tagged state.
lhu(arr, number8);
%OptimizeFunctionOnNextCall(lhu);
lhu(arr, -0); // prevent addition IC to go into int32 state
lhu(arr, number8);
%OptimizeFunctionOnNextCall(lhu);
lhu(arr, -0); // prevent addition IC to go into int32 state
lhu(arr, number8);
%OptimizeFunctionOnNextCall(lhu);
lhu(arr, -0); // prevent addition IC to go into int32 state
lhu(arr, number8);
I am not completely sure how it relates to what happens in your case Paul.
Can you attach hydrogen representation for lhu that deopts to the issue so
that we can try to relate it with my artificial one? Can you also try to
beef up assertions in the lhu to check that a is a number (typeof a
=== "number") and not a minus zero (a !== 0 || (1/a) === (1/0)).
I am triaging it to Toon, because there are seems to be a problem with
restricting BoundsCheck to SMI: if you ever get in the state where
HeapNumbers come in you'll end up deopting for nothing.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
