Don't convert dictionary sloppy arguments to fast double mode.

author verwaest@chromium.org <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>

Tue, 25 Mar 2014 14:14:58 +0000 (14:14 +0000)

committer verwaest@chromium.org <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>

Tue, 25 Mar 2014 14:14:58 +0000 (14:14 +0000)
author verwaest@chromium.org <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 25 Mar 2014 14:14:58 +0000 (14:14 +0000)
committer verwaest@chromium.org <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 25 Mar 2014 14:14:58 +0000 (14:14 +0000)
diff --git a/src/objects.cc b/src/objects.cc

index 11f53b9..f56ef57 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11238,6 +11238,7 @@ MaybeObject* JSObject::SetFastDoubleElementsCapacityAndLength(
    }
  
    ElementsKind elements_kind = GetElementsKind();
+  CHECK(elements_kind != SLOPPY_ARGUMENTS_ELEMENTS);
    ElementsKind new_elements_kind = elements_kind;
    if (IsHoleyElementsKind(elements_kind)) {
      new_elements_kind = FAST_HOLEY_DOUBLE_ELEMENTS;
@@ -11257,13 +11258,9 @@ MaybeObject* JSObject::SetFastDoubleElementsCapacityAndLength(
          accessor->CopyElements(this, elems, elements_kind);
      if (maybe_obj->IsFailure()) return maybe_obj;
    }
-  if (elements_kind != SLOPPY_ARGUMENTS_ELEMENTS) {
-    ValidateElements();
-    set_map_and_elements(new_map, elems);
-  } else {
-    FixedArray* parameter_map = FixedArray::cast(old_elements);
-    parameter_map->set(1, elems);
-  }
+
+  ValidateElements();
+  set_map_and_elements(new_map, elems);
  
    if (FLAG_trace_elements_transitions) {
      PrintElementsTransition(stdout, elements_kind, old_elements,
@@ -13124,6 +13121,7 @@ bool JSObject::ShouldConvertToFastElements() {
  bool JSObject::ShouldConvertToFastDoubleElements(
      bool* has_smi_only_elements) {
    *has_smi_only_elements = false;
+  if (HasSloppyArgumentsElements()) return false;
    if (FLAG_unbox_double_arrays) {
      ASSERT(HasDictionaryElements());
      SeededNumberDictionary* dictionary = element_dictionary();
diff --git a/test/mjsunit/regress/regress-dictionary-to-fast-arguments.js b/test/mjsunit/regress/regress-dictionary-to-fast-arguments.js

new file mode 100644 (file)

index 0000000..f12679a
--- /dev/null
+++ b/test/mjsunit/regress/regress-dictionary-to-fast-arguments.js
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f(a, b) {
+  for (var i = 10000; i > 0; i--) {
+    arguments[i] = 0;
+  }
+}
+
+f(1.5, 2.5);
author	verwaest@chromium.org <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Tue, 25 Mar 2014 14:14:58 +0000 (14:14 +0000)
committer	verwaest@chromium.org <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Tue, 25 Mar 2014 14:14:58 +0000 (14:14 +0000)
src/objects.cc		patch \| blob \| history
test/mjsunit/regress/regress-dictionary-to-fast-arguments.js	[new file with mode: 0644]	patch \| blob