[v8-dev] Fix deoptimization problem with inlined Array.push() (issue 247573008)

Wed, 23 Apr 2014 06:02:46 -0700 

Reviewers: jarin,

Description:
Fix deoptimization problem with inlined Array.push()

R=ja...@chromium.org
LOG=N

Please review this at https://codereview.chromium.org/247573008/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+17, -4 lines):
  M src/deoptimizer.cc
  M src/hydrogen.cc
  A test/mjsunit/array-push10.js


Index: src/deoptimizer.cc
diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index e2fa5f33ce4a88753f8d46559c59c90f13d172a5..5517deef4d2dcb3802f3e08601ea3e7814da8f7a 100644 
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -2632,13 +2632,11 @@ unsigned Deoptimizer::ComputeInputFrameSize() const { 
   // function into account so we have to avoid double counting them.
   unsigned result = fixed_size + fp_to_sp_delta_ -
       StandardFrameConstants::kFixedFrameSizeFromFp;
-#ifdef DEBUG
   if (compiled_code_->kind() == Code::OPTIMIZED_FUNCTION) {
     unsigned stack_slots = compiled_code_->stack_slots();
     unsigned outgoing_size = ComputeOutgoingArgumentSize();
- ASSERT(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size); + CHECK(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size); 
   }
-#endif
   return result;
 }

Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 843be65710acfbefdd16144fde51eb49ea70b003..95e190ed1c3711035843abe52ba5d4b59ef7b062 100644 
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -7811,6 +7811,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( 

       HValue* value_to_push = Pop();
       HValue* array = Pop();
+      Drop(1);  // Drop function.

       HInstruction* new_size = NULL;
       HValue* length = NULL;
@@ -7832,7 +7833,6 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( 
         Add<HSimulate>(expr->id(), REMOVABLE_SIMULATE);
       }

-      Drop(1);  // Drop function.
       ast_context()->ReturnValue(new_size);
       return true;
     }
Index: test/mjsunit/array-push10.js
diff --git a/test/mjsunit/array-push10.js b/test/mjsunit/array-push10.js
new file mode 100644
index 0000000000000000000000000000000000000000..223186e0ec986436e9d5bee993633421784e1101 
--- /dev/null
+++ b/test/mjsunit/array-push10.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_17(__v_9) {
+ var __v_10 = 0;
+ var count = 10000;
+ while (count-- != 0) {
+   __v_9.push(0);
+   if (++__v_10 >= 2) return __v_9;
+   __v_10 = {};
+ }
+}
+
+__v_14 = __f_17([]);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to