From 11df4b88158c0bd751e7f5b9900e4bcb8665a662 Mon Sep 17 00:00:00 2001 From: "mvstanton@chromium.org" Date: Fri, 14 Mar 2014 10:22:55 +0000 Subject: [PATCH] Fix for issue 351261. This relands the following fix: "HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included. (bug 347543)" along with additional fixes to KeyedStoreIC. BUG=351261 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/200113002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19926 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/a64/lithium-codegen-a64.cc | 6 +++++- src/arm/lithium-codegen-arm.cc | 6 +++++- src/ia32/lithium-codegen-ia32.cc | 6 +++++- src/ic.cc | 12 +++++------- src/mips/lithium-codegen-mips.cc | 6 +++++- src/x64/lithium-codegen-x64.cc | 6 +++++- test/mjsunit/regress/regress-351261.js | 19 +++++++++++++++++++ 7 files changed, 49 insertions(+), 12 deletions(-) create mode 100644 test/mjsunit/regress/regress-351261.js diff --git a/src/a64/lithium-codegen-a64.cc b/src/a64/lithium-codegen-a64.cc index d801205..27b3339 100644 --- a/src/a64/lithium-codegen-a64.cc +++ b/src/a64/lithium-codegen-a64.cc @@ -1507,7 +1507,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, temp1, temp2, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, temp1, temp2, deferred->entry(), flags); + } else { + __ B(deferred->entry()); + } } else { Register size = ToRegister32(instr->size()); __ Sxtw(size.X(), size); diff --git a/src/arm/lithium-codegen-arm.cc b/src/arm/lithium-codegen-arm.cc index 49b7a33..2a15258 100644 --- a/src/arm/lithium-codegen-arm.cc +++ b/src/arm/lithium-codegen-arm.cc @@ -5220,7 +5220,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, diff --git a/src/ia32/lithium-codegen-ia32.cc b/src/ia32/lithium-codegen-ia32.cc index f85ab3d..36e876d 100644 --- a/src/ia32/lithium-codegen-ia32.cc +++ b/src/ia32/lithium-codegen-ia32.cc @@ -5845,7 +5845,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); diff --git a/src/ic.cc b/src/ic.cc index 7f4d1cd..f1e3c55 100644 --- a/src/ic.cc +++ b/src/ic.cc @@ -1599,7 +1599,10 @@ KeyedAccessStoreMode KeyedStoreIC::GetStoreMode(Handle receiver, key->ToSmi()->To(&smi_key); int index = smi_key->value(); bool oob_access = IsOutOfBoundsAccess(receiver, index); - bool allow_growth = receiver->IsJSArray() && oob_access; + // Don't consider this a growing store if the store would send the receiver to + // dictionary mode. + bool allow_growth = receiver->IsJSArray() && oob_access && + !receiver->WouldConvertToSlowElements(key); if (allow_growth) { // Handle growing array in stub if necessary. if (receiver->HasFastSmiElements()) { @@ -1724,12 +1727,7 @@ MaybeObject* KeyedStoreIC::Store(Handle object, if (!(receiver->map()->DictionaryElementsInPrototypeChainOnly())) { KeyedAccessStoreMode store_mode = GetStoreMode(receiver, key, value); - // Use the generic stub if the store would send the receiver to - // dictionary mode. - if (!IsGrowStoreMode(store_mode) || - !receiver->WouldConvertToSlowElements(key)) { - stub = StoreElementStub(receiver, store_mode); - } + stub = StoreElementStub(receiver, store_mode); } } } diff --git a/src/mips/lithium-codegen-mips.cc b/src/mips/lithium-codegen-mips.cc index d9619ed..0f19ce2 100644 --- a/src/mips/lithium-codegen-mips.cc +++ b/src/mips/lithium-codegen-mips.cc @@ -5184,7 +5184,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { } if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc index 11cfa69..332c2ee 100644 --- a/src/x64/lithium-codegen-x64.cc +++ b/src/x64/lithium-codegen-x64.cc @@ -5144,7 +5144,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); diff --git a/test/mjsunit/regress/regress-351261.js b/test/mjsunit/regress/regress-351261.js new file mode 100644 index 0000000..48af544 --- /dev/null +++ b/test/mjsunit/regress/regress-351261.js @@ -0,0 +1,19 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --fold-constants + +function store(a) { + a[5000000] = 1; +} + +function foo() { + var __v_8 = new Object; + var __v_7 = new Array(4999990); + store(__v_8); + store(__v_7); +} +foo(); +%OptimizeFunctionOnNextCall(foo); +foo(); -- 2.7.4