[v8-dev] Merged r14906 into trunk branch. (issue 15813011)

jkummerow Fri, 31 May 2013 08:54:32 -0700

Reviewers: Michael Starzinger,

Description:
Merged r14906 into trunk branch.


Fast literals: fixed initialization of non-copied in-object property fields

BUG=chromium:245424
[email protected]

Please review this at https://codereview.chromium.org/15813011/

SVN Base: https://v8.googlecode.com/svn/trunk

Affected files:
  M src/hydrogen.cc
  M src/version.cc
  A + test/mjsunit/regress/regress-crbug-245424.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc

index54a522506287259d83a7684002e5ad1fac33fc07..7ee6081026b7c58a786a3e3a5985a69259b1f787100644

--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc

@@ -10059,7 +10059,9 @@ voidHOptimizedGraphBuilder::BuildEmitInObjectProperties(

       HConstant(isolate()->factory()->one_pointer_filler_map(),
           Representation::Tagged()));
   for (int i = copied_fields; i < inobject_properties; i++) {
-    HObjectAccess access = HObjectAccess::ForJSObjectOffset(i);
+    ASSERT(boilerplate_object->IsJSObject());
+    int property_offset = boilerplate_object->GetInObjectPropertyOffset(i);

+ HObjectAccess access =HObjectAccess::ForJSObjectOffset(property_offset);

     AddStore(object_properties, access, value_instruction);
   }
 }
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc

index54a547f1abf280ffc731ec69cd4f1ca6b2349f67..f764d2e9330ab8af6340b18ab760dcec583c2068100644

--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     19
 #define BUILD_NUMBER      7
-#define PATCH_LEVEL       1
+#define PATCH_LEVEL       2
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-245424.js

diff --git a/test/mjsunit/regress/regress-2671.jsb/test/mjsunit/regress/regress-crbug-245424.js

similarity index 88%
copy from test/mjsunit/regress/regress-2671.js
copy to test/mjsunit/regress/regress-crbug-245424.js

index8da1b8f07f69c487fe9913e485c60f3e257e0986..005c8baba9492dd339b4fbdc3b48f7577b9c308a100644

--- a/test/mjsunit/regress/regress-2671.js
+++ b/test/mjsunit/regress/regress-crbug-245424.js
@@ -27,19 +27,15 @@

 // Flags: --allow-natives-syntax

-var y;
-function f() {
-  var a = [];
-  a[20] = 0;
-  y = 3;
-  var i = 7 * (y + -0);
-  a[i] = 1/y;
-  assertFalse(isNaN(a[i]));
+function boom() {
+  var a = {
+    foo: "bar",
+    foo: "baz"
+  };
+  return a;
 }

-f();
-f();
-f();
-%OptimizeFunctionOnNextCall(f);
-f();
-
+assertEquals("baz", boom().foo);
+assertEquals("baz", boom().foo);
+%OptimizeFunctionOnNextCall(boom);
+assertEquals("baz", boom().foo);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

---You received this message because you are subscribed to the Google Groups "v8-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[v8-dev] Merged r14906 into trunk branch. (issue 15813011)

Reply via email to