projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6cae9d1)
Fix deoptimization problem with inlined Array.push()
authordanno@chromium.org <danno@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Wed, 23 Apr 2014 13:20:28 +0000 (13:20 +0000)
committerdanno@chromium.org <danno@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Wed, 23 Apr 2014 13:20:28 +0000 (13:20 +0000)
R=jarin@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/247573008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20911 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/deoptimizer.cc patch | blob | history
src/hydrogen.cc patch | blob | history
test/mjsunit/array-push10.js [new file with mode: 0644] patch | blob

diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index e2fa5f3..5517dee 100644 (file)
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -2632,13 +2632,11 @@ unsigned Deoptimizer::ComputeInputFrameSize() const {
   // function into account so we have to avoid double counting them.
   unsigned result = fixed_size + fp_to_sp_delta_ -
       StandardFrameConstants::kFixedFrameSizeFromFp;
-#ifdef DEBUG
   if (compiled_code_->kind() == Code::OPTIMIZED_FUNCTION) {
     unsigned stack_slots = compiled_code_->stack_slots();
     unsigned outgoing_size = ComputeOutgoingArgumentSize();
-    ASSERT(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size);
+    CHECK(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size);
   }
-#endif
   return result;
 }
 
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 843be65..95e190e 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -7811,6 +7811,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
 
       HValue* value_to_push = Pop();
       HValue* array = Pop();
+      Drop(1);  // Drop function.
 
       HInstruction* new_size = NULL;
       HValue* length = NULL;
@@ -7832,7 +7833,6 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
         Add<HSimulate>(expr->id(), REMOVABLE_SIMULATE);
       }
 
-      Drop(1);  // Drop function.
       ast_context()->ReturnValue(new_size);
       return true;
     }
diff --git a/test/mjsunit/array-push10.js b/test/mjsunit/array-push10.js
new file mode 100644 (file)
index 0000000..223186e
--- /dev/null
+++ b/test/mjsunit/array-push10.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_17(__v_9) {
+ var __v_10 = 0;
+ var count = 10000;
+ while (count-- != 0) {
+   __v_9.push(0);
+   if (++__v_10 >= 2) return __v_9;
+   __v_10 = {};
+ }
+}
+
+__v_14 = __f_17([]);
Domain: Web Framework / Web Engine;