Reviewers: Jakob, Sven Panne,
Message:
PTAL
Description:
Ensure the constant operand for heap-object store-named-field is not a smi.
BUG=
Please review this at https://codereview.chromium.org/210193002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+19, -13 lines):
M src/ia32/lithium-codegen-ia32.cc
M src/x64/lithium-codegen-x64.cc
A + test/mjsunit/regress/regress-store-heapobject.js
Index: src/ia32/lithium-codegen-ia32.cc
diff --git a/src/ia32/lithium-codegen-ia32.cc
b/src/ia32/lithium-codegen-ia32.cc
index
7c0df1847a05ca3d3a5362ff6f82150f4273a35f..8441274b620a67f0416c3bf37471891135b9dfa8
100644
--- a/src/ia32/lithium-codegen-ia32.cc
+++ b/src/ia32/lithium-codegen-ia32.cc
@@ -4351,7 +4351,7 @@ void LCodeGen::DoStoreNamedField(LStoreNamedField*
instr) {
} else if (representation.IsHeapObject()) {
if (instr->value()->IsConstantOperand()) {
LConstantOperand* operand_value =
LConstantOperand::cast(instr->value());
- if (IsInteger32(operand_value)) {
+ if (chunk_->LookupConstant(operand_value)->HasSmiValue()) {
DeoptimizeIf(no_condition, instr->environment());
}
} else {
Index: src/x64/lithium-codegen-x64.cc
diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index
5849cf4ef910d6573c75dd7b4858a964e75192b9..638c26add6c6eea138056441e7a8de97981ebe73
100644
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -3966,7 +3966,7 @@ void LCodeGen::DoStoreNamedField(LStoreNamedField*
instr) {
} else if (representation.IsHeapObject()) {
if (instr->value()->IsConstantOperand()) {
LConstantOperand* operand_value =
LConstantOperand::cast(instr->value());
- if (IsInteger32Constant(operand_value)) {
+ if (chunk_->LookupConstant(operand_value)->HasSmiValue()) {
DeoptimizeIf(no_condition, instr->environment());
}
} else {
Index: test/mjsunit/regress/regress-store-heapobject.js
diff --git a/test/mjsunit/regress/regress-check-eliminate-loop-phis.js
b/test/mjsunit/regress/regress-store-heapobject.js
similarity index 52%
copy from test/mjsunit/regress/regress-check-eliminate-loop-phis.js
copy to test/mjsunit/regress/regress-store-heapobject.js
index
3791c35f71ccfc50dd384978e449103b39f6bff7..9f2a1b8ffadf093ed39d99f00807344fcb51d853
100644
--- a/test/mjsunit/regress/regress-check-eliminate-loop-phis.js
+++ b/test/mjsunit/regress/regress-store-heapobject.js
@@ -4,18 +4,24 @@
// Flags: --allow-natives-syntax
-function f() {
- var o = {x:1};
- var y = {y:2.5, x:0};
- var result;
- for (var i = 0; i < 2; i++) {
- result = o.x + 3;
- o = y;
+var o = {a: undefined};
+
+function store(o, v) {
+ o.a = v;
+}
+
+store(o, undefined);
+store(o, undefined);
+
+function f(bool) {
+ var o = {a: undefined};
+ if (bool) {
+ store(o, 1);
}
- return result;
+ return o;
}
-f();
-f();
+f(false);
+f(false);
%OptimizeFunctionOnNextCall(f);
-assertEquals(3, f());
+f(true);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
