From: ulan@chromium.org Date: Tue, 18 Mar 2014 13:29:29 +0000 (+0000) Subject: Fix TransitionElementsKindStub to handle non-JSArray objects correctly. X-Git-Tag: upstream/4.7.83~10197 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=487ca9e38483d5cca5723398fbd50bf1799af2cc;p=platform%2Fupstream%2Fv8.git Fix TransitionElementsKindStub to handle non-JSArray objects correctly. BUG=352982 LOG=N TEST=mjsunit/regress/regress-352982.js R=danno@chromium.org Review URL: https://codereview.chromium.org/196343023 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20033 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/a64/lithium-codegen-a64.cc b/src/a64/lithium-codegen-a64.cc index 6c29abd..48f8ea6 100644 --- a/src/a64/lithium-codegen-a64.cc +++ b/src/a64/lithium-codegen-a64.cc @@ -5627,7 +5627,8 @@ void LCodeGen::DoTransitionElementsKind(LTransitionElementsKind* instr) { this, Safepoint::kWithRegistersAndDoubles); __ Mov(x0, object); __ Mov(x1, Operand(to_map)); - TransitionElementsKindStub stub(from_kind, to_kind); + bool is_js_array = from_map->instance_type() == JS_ARRAY_TYPE; + TransitionElementsKindStub stub(from_kind, to_kind, is_js_array); __ CallStub(&stub); RecordSafepointWithRegistersAndDoubles( instr->pointer_map(), 0, Safepoint::kNoLazyDeopt); diff --git a/src/arm/lithium-codegen-arm.cc b/src/arm/lithium-codegen-arm.cc index 2a15258..7b1c537 100644 --- a/src/arm/lithium-codegen-arm.cc +++ b/src/arm/lithium-codegen-arm.cc @@ -4359,7 +4359,8 @@ void LCodeGen::DoTransitionElementsKind(LTransitionElementsKind* instr) { this, Safepoint::kWithRegistersAndDoubles); __ Move(r0, object_reg); __ Move(r1, to_map); - TransitionElementsKindStub stub(from_kind, to_kind); + bool is_js_array = from_map->instance_type() == JS_ARRAY_TYPE; + TransitionElementsKindStub stub(from_kind, to_kind, is_js_array); __ CallStub(&stub); RecordSafepointWithRegistersAndDoubles( instr->pointer_map(), 0, Safepoint::kNoLazyDeopt); diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc index 3f4997f..040c260 100644 --- a/src/code-stubs-hydrogen.cc +++ b/src/code-stubs-hydrogen.cc @@ -645,7 +645,7 @@ HValue* CodeStubGraphBuilder::BuildCodeStub() { GetParameter(1), casted_stub()->from_kind(), casted_stub()->to_kind(), - true); + casted_stub()->is_js_array()); return GetParameter(0); } diff --git a/src/code-stubs.h b/src/code-stubs.h index d4240c8..8b42cec 100644 --- a/src/code-stubs.h +++ b/src/code-stubs.h @@ -2035,9 +2035,11 @@ class KeyedStoreFastElementStub : public HydrogenCodeStub { class TransitionElementsKindStub : public HydrogenCodeStub { public: TransitionElementsKindStub(ElementsKind from_kind, - ElementsKind to_kind) { + ElementsKind to_kind, + bool is_js_array) { bit_field_ = FromKindBits::encode(from_kind) | - ToKindBits::encode(to_kind); + ToKindBits::encode(to_kind) | + IsJSArrayBits::encode(is_js_array); } ElementsKind from_kind() const { @@ -2048,6 +2050,10 @@ class TransitionElementsKindStub : public HydrogenCodeStub { return ToKindBits::decode(bit_field_); } + bool is_js_array() const { + return IsJSArrayBits::decode(bit_field_); + } + virtual Handle GenerateCode(Isolate* isolate); virtual void InitializeInterfaceDescriptor( @@ -2057,6 +2063,7 @@ class TransitionElementsKindStub : public HydrogenCodeStub { private: class FromKindBits: public BitField {}; class ToKindBits: public BitField {}; + class IsJSArrayBits: public BitField {}; uint32_t bit_field_; Major MajorKey() { return TransitionElementsKind; } diff --git a/src/ia32/lithium-codegen-ia32.cc b/src/ia32/lithium-codegen-ia32.cc index 36e876d..7d62d5c 100644 --- a/src/ia32/lithium-codegen-ia32.cc +++ b/src/ia32/lithium-codegen-ia32.cc @@ -4726,7 +4726,8 @@ void LCodeGen::DoTransitionElementsKind(LTransitionElementsKind* instr) { __ mov(eax, object_reg); } __ mov(ebx, to_map); - TransitionElementsKindStub stub(from_kind, to_kind); + bool is_js_array = from_map->instance_type() == JS_ARRAY_TYPE; + TransitionElementsKindStub stub(from_kind, to_kind, is_js_array); __ CallStub(&stub); RecordSafepointWithRegisters( instr->pointer_map(), 0, Safepoint::kNoLazyDeopt); diff --git a/src/mips/lithium-codegen-mips.cc b/src/mips/lithium-codegen-mips.cc index edbc9b5..7311db6 100644 --- a/src/mips/lithium-codegen-mips.cc +++ b/src/mips/lithium-codegen-mips.cc @@ -4382,7 +4382,8 @@ void LCodeGen::DoTransitionElementsKind(LTransitionElementsKind* instr) { this, Safepoint::kWithRegistersAndDoubles); __ mov(a0, object_reg); __ li(a1, Operand(to_map)); - TransitionElementsKindStub stub(from_kind, to_kind); + bool is_js_array = from_map->instance_type() == JS_ARRAY_TYPE; + TransitionElementsKindStub stub(from_kind, to_kind, is_js_array); __ CallStub(&stub); RecordSafepointWithRegistersAndDoubles( instr->pointer_map(), 0, Safepoint::kNoLazyDeopt); diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc index 332c2ee..10f8e0e 100644 --- a/src/x64/lithium-codegen-x64.cc +++ b/src/x64/lithium-codegen-x64.cc @@ -4373,7 +4373,8 @@ void LCodeGen::DoTransitionElementsKind(LTransitionElementsKind* instr) { __ movp(rax, object_reg); } __ Move(rbx, to_map); - TransitionElementsKindStub stub(from_kind, to_kind); + bool is_js_array = from_map->instance_type() == JS_ARRAY_TYPE; + TransitionElementsKindStub stub(from_kind, to_kind, is_js_array); __ CallStub(&stub); RecordSafepointWithRegisters( instr->pointer_map(), 0, Safepoint::kNoLazyDeopt); diff --git a/test/mjsunit/regress/regress-352982.js b/test/mjsunit/regress/regress-352982.js new file mode 100644 index 0000000..5d3ce1c --- /dev/null +++ b/test/mjsunit/regress/regress-352982.js @@ -0,0 +1,51 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax --expose-gc + +function __f_4(i1) { + return __v_3[i1] * __v_3[0]; +} +function __f_3(i1) { + __f_4(i1); + __f_4(i1 + 16); + __f_4(i1 + 32); + %OptimizeFunctionOnNextCall(__f_4); + var x = __f_4(i1 + 993); + return x; +} +function __f_5() { + __v_3[0] = +__v_3[0]; + gc(); + __f_3(0) | 0; + __v_3 = /\u23a1|x/; + return 0; +} +var __v_3 = new Float32Array(1000); +__f_5(); +__f_5(); +__f_5();