AllocationSites: when updating allocation site transition information,

be careful to merge feedback appropriately. For example, one array may
have gone holey, and then another allocated at the same place instead
went DOUBLE but remained packed. In this case the ElementsKind
ultimately stored in the AllocationSite should be HOLEY_DOUBLE.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/18531007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/objects.cc b/src/objects.cc
index cc28814373fceb9d450bb06d03c736b4db89c5d1..05cc9e9ba6f57a01b8a7a327f7d7db4e69022563 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -12317,6 +12317,10 @@ MaybeObject* JSObject::UpdateAllocationSite(ElementsKind to_kind) {
   if (site->IsLiteralSite()) {
     JSArray* transition_info = JSArray::cast(site->transition_info());
     ElementsKind kind = transition_info->GetElementsKind();
+    // if kind is holey ensure that to_kind is as well.
+    if (IsHoleyElementsKind(kind)) {
+      to_kind = GetHoleyElementsKind(to_kind);
+    }
     if (AllocationSite::GetMode(kind, to_kind) == TRACK_ALLOCATION_SITE) {
       // If the array is huge, it's not likely to be defined in a local
       // function, so we shouldn't make new instances of it very often.
@@ -12335,6 +12339,10 @@ MaybeObject* JSObject::UpdateAllocationSite(ElementsKind to_kind) {
     }
   } else {
     ElementsKind kind = site->GetElementsKind();
+    // if kind is holey ensure that to_kind is as well.
+    if (IsHoleyElementsKind(kind)) {
+      to_kind = GetHoleyElementsKind(to_kind);
+    }
     if (AllocationSite::GetMode(kind, to_kind) == TRACK_ALLOCATION_SITE) {
       if (FLAG_trace_track_allocation_sites) {
         PrintF("AllocationSite: JSArray %p site updated %s->%s\n",

diff --git a/test/mjsunit/allocation-site-info.js b/test/mjsunit/allocation-site-info.js
index b8b1076ff9f11450f18f6821c4514b63df9a5d6c..442d108928eaad02e911ca60871c03642233d81f 100644 (file)
--- a/test/mjsunit/allocation-site-info.js
+++ b/test/mjsunit/allocation-site-info.js
@@ -282,6 +282,32 @@ if (support_smi_only_arrays) {
   obj = newarraycase_list_smiobj(2);
   assertKind(elements_kind.fast, obj);
 
+  // Case: array constructor calls with out of date feedback.
+  // The boilerplate should incorporate all feedback, but the input array
+  // should be minimally transitioned based on immediate need.
+  (function() {
+    function foo(i) {
+      // We have two cases, one for literals one for constructed arrays.
+      var a = (i == 0)
+        ? [1, 2, 3]
+        : new Array(1, 2, 3);
+      return a;
+    }
+
+    for (i = 0; i < 2; i++) {
+      a = foo(i);
+      b = foo(i);
+      b[5] = 1;  // boilerplate goes holey
+      assertHoley(foo(i));
+      a[0] = 3.5;  // boilerplate goes holey double
+      assertKind(elements_kind.fast_double, a);
+      assertNotHoley(a);
+      c = foo(i);
+      assertKind(elements_kind.fast_double, c);
+      assertHoley(c);
+    }
+  })();
+
   function newarraycase_onearg(len, value) {
     var a = new Array(len);
     a[0] = value;