Reviewers: Michael Starzinger,
Message:
Hi Michael, if you can have a look, it is the fix we discussed. Amazingly
(appallingly), it was only missing on ia32 platform. :p
Description:
Missing type cell on ia32 from bindings.
Javascript constructors called from C++ code didn't have a type cell
properly filled in on ia32. This showed up as a bug in webkit bindings.
Re-enabled flag optimize-constructed-arrays.
BUG=
Please review this at https://codereview.chromium.org/15870002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/flag-definitions.h
M src/ia32/builtins-ia32.cc
M test/mjsunit/allocation-site-info.js
Index: src/flag-definitions.h
diff --git a/src/flag-definitions.h b/src/flag-definitions.h
index
7b5ba1ef8eab50b40a664ba2ceb76557148d02e0..859487a6f8d3f97b9187a18690f41d7c0ad55b25
100644
--- a/src/flag-definitions.h
+++ b/src/flag-definitions.h
@@ -258,7 +258,7 @@ DEFINE_bool(unreachable_code_elimination, false,
"eliminate unreachable code (hidden behind soft deopts)")
DEFINE_bool(track_allocation_sites, true,
"Use allocation site info to reduce transitions")
-DEFINE_bool(optimize_constructed_arrays, false,
+DEFINE_bool(optimize_constructed_arrays, true,
"Use allocation site info on constructed arrays")
DEFINE_bool(trace_osr, false, "trace on-stack replacement")
DEFINE_int(stress_runs, 0, "number of stress runs")
Index: src/ia32/builtins-ia32.cc
diff --git a/src/ia32/builtins-ia32.cc b/src/ia32/builtins-ia32.cc
index
2b45d7654d852a0184a12ed6ee836292366e111e..ebc988232178ad7845ca29c703ef22461f7828da
100644
--- a/src/ia32/builtins-ia32.cc
+++ b/src/ia32/builtins-ia32.cc
@@ -486,6 +486,10 @@ static void
Generate_JSEntryTrampolineHelper(MacroAssembler* masm,
// Invoke the code.
if (is_construct) {
+ // No type feedback cell is available
+ Handle<Object> undefined_sentinel(
+ masm->isolate()->heap()->undefined_value(), masm->isolate());
+ __ mov(ebx, Operand(undefined_sentinel));
CallConstructStub stub(NO_CALL_FUNCTION_FLAGS);
__ CallStub(&stub);
} else {
Index: test/mjsunit/allocation-site-info.js
diff --git a/test/mjsunit/allocation-site-info.js
b/test/mjsunit/allocation-site-info.js
index
d7189932141378b8f06f7312062cd1402e5914ee..45605317fea69bfd116897c75e9a1a08fc5a9bdb
100644
--- a/test/mjsunit/allocation-site-info.js
+++ b/test/mjsunit/allocation-site-info.js
@@ -37,7 +37,7 @@
// support_smi_only_arrays = %HasFastSmiElements(new
Array(1,2,3,4,5,6,7,8));
support_smi_only_arrays = true;
-optimize_constructed_arrays = false;
+optimize_constructed_arrays = true;
if (support_smi_only_arrays) {
print("Tests include smi-only arrays.");
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
