From 057371da13212d91442e79f817ce8a75819f446d Mon Sep 17 00:00:00 2001 From: "mstarzinger@chromium.org" Date: Tue, 27 Mar 2012 10:42:38 +0000 Subject: [PATCH] Fix polymorphic load on named fields. This fixes polymorphic loads to correctly compare in-object offsets instead of indices, because indices might coincide even though the actual slot is different because of different instance sizes. R=danno@chromium.org BUG=v8:2030 TEST=mjsunit/regress/regress-2030,mjsunit/mirror-array Review URL: https://chromiumcodereview.appspot.com/9864028 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11153 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen.cc | 18 ++++++++++-- test/mjsunit/regress/regress-2030.js | 53 ++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 test/mjsunit/regress/regress-2030.js diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 4da1609..8c55a32 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -4029,7 +4029,8 @@ void HGraphBuilder::HandlePolymorphicLoadNamedField(Property* expr, SmallMapList* types, Handle name) { int count = 0; - int previous_field_index = 0; + int previous_field_offset = 0; + bool previous_field_is_in_object = false; bool is_monomorphic_field = true; Handle map; LookupResult lookup(isolate()); @@ -4037,10 +4038,21 @@ void HGraphBuilder::HandlePolymorphicLoadNamedField(Property* expr, map = types->at(i); if (ComputeLoadStoreField(map, name, &lookup, false)) { int index = ComputeLoadStoreFieldIndex(map, name, &lookup); + bool is_in_object = index < 0; + int offset = index * kPointerSize; + if (index < 0) { + // Negative property indices are in-object properties, indexed + // from the end of the fixed part of the object. + offset += map->instance_size(); + } else { + offset += FixedArray::kHeaderSize; + } if (count == 0) { - previous_field_index = index; + previous_field_offset = offset; + previous_field_is_in_object = is_in_object; } else if (is_monomorphic_field) { - is_monomorphic_field = (index == previous_field_index); + is_monomorphic_field = (offset == previous_field_offset) && + (is_in_object == previous_field_is_in_object); } ++count; } diff --git a/test/mjsunit/regress/regress-2030.js b/test/mjsunit/regress/regress-2030.js new file mode 100644 index 0000000..fb5a3d0 --- /dev/null +++ b/test/mjsunit/regress/regress-2030.js @@ -0,0 +1,53 @@ +// Copyright 2012 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax + +function a() { + this.x = 1; +} +var aa = new a(); +%DebugPrint(aa); + +function b() { + this.z = 23; + this.x = 2; +} +var bb = new b(); +%DebugPrint(bb); + +function f(o) { + return o.x; +} + +assertSame(1, f(aa)); +assertSame(1, f(aa)); +assertSame(2, f(bb)); +assertSame(2, f(bb)); +%OptimizeFunctionOnNextCall(f); +assertSame(1, f(aa)); +assertSame(2, f(bb)); -- 2.7.4