From 1903e560b06a8689b3a9bd575d2063f5b4618fe7 Mon Sep 17 00:00:00 2001 From: "jkummerow@chromium.org" Date: Thu, 25 Sep 2014 08:25:25 +0000 Subject: [PATCH] Non-JSArrays must always have holey elements. Drive-by cleanup: remove unused elements_kind_ field in CallNew. BUG=chromium:416558 LOG=n R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/595333002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/ast.cc | 3 - src/ast.h | 3 - src/factory.cc | 5 +- src/objects-debug.cc | 2 +- test/mjsunit/regress/regress-crbug-416558.js | 115 +++++++++++++++++++++++++++ 5 files changed, 119 insertions(+), 9 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-416558.js diff --git a/src/ast.cc b/src/ast.cc index 6816992..a7d9bad 100644 --- a/src/ast.cc +++ b/src/ast.cc @@ -615,9 +615,6 @@ void CallNew::RecordTypeFeedback(TypeFeedbackOracle* oracle) { is_monomorphic_ = oracle->CallNewIsMonomorphic(CallNewFeedbackSlot()); if (is_monomorphic_) { target_ = oracle->GetCallNewTarget(CallNewFeedbackSlot()); - if (!allocation_site_.is_null()) { - elements_kind_ = allocation_site_->GetElementsKind(); - } } } diff --git a/src/ast.h b/src/ast.h index e189f7e..63055ea 100644 --- a/src/ast.h +++ b/src/ast.h @@ -1868,7 +1868,6 @@ class CallNew FINAL : public Expression, public FeedbackSlotInterface { void RecordTypeFeedback(TypeFeedbackOracle* oracle); virtual bool IsMonomorphic() OVERRIDE { return is_monomorphic_; } Handle target() const { return target_; } - ElementsKind elements_kind() const { return elements_kind_; } Handle allocation_site() const { return allocation_site_; } @@ -1884,7 +1883,6 @@ class CallNew FINAL : public Expression, public FeedbackSlotInterface { expression_(expression), arguments_(arguments), is_monomorphic_(false), - elements_kind_(GetInitialFastElementsKind()), callnew_feedback_slot_(kInvalidFeedbackSlot), return_id_(id_gen->GetNextId()) {} @@ -1894,7 +1892,6 @@ class CallNew FINAL : public Expression, public FeedbackSlotInterface { bool is_monomorphic_; Handle target_; - ElementsKind elements_kind_; Handle allocation_site_; int callnew_feedback_slot_; diff --git a/src/factory.cc b/src/factory.cc index 45a79c1..0adc873 100644 --- a/src/factory.cc +++ b/src/factory.cc @@ -1302,8 +1302,9 @@ Handle Factory::NewFunction(Handle name, Handle function = NewFunction( name, code, prototype, read_only_prototype); - Handle initial_map = NewMap( - type, instance_size, GetInitialFastElementsKind()); + ElementsKind elements_kind = + type == JS_ARRAY_TYPE ? FAST_SMI_ELEMENTS : FAST_HOLEY_SMI_ELEMENTS; + Handle initial_map = NewMap(type, instance_size, elements_kind); if (prototype->IsTheHole() && !function->shared()->is_generator()) { prototype = NewFunctionPrototype(function); } diff --git a/src/objects-debug.cc b/src/objects-debug.cc index a2395de..1d5af5b 100644 --- a/src/objects-debug.cc +++ b/src/objects-debug.cc @@ -547,7 +547,7 @@ void JSGlobalProxy::JSGlobalProxyVerify() { VerifyObjectField(JSGlobalProxy::kNativeContextOffset); // Make sure that this object has no properties, elements. CHECK_EQ(0, properties()->length()); - CHECK(HasFastSmiElements()); + CHECK_EQ(FAST_HOLEY_SMI_ELEMENTS, GetElementsKind()); CHECK_EQ(0, FixedArray::cast(elements())->length()); } diff --git a/test/mjsunit/regress/regress-crbug-416558.js b/test/mjsunit/regress/regress-crbug-416558.js new file mode 100644 index 0000000..375ad40 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-416558.js @@ -0,0 +1,115 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = /x/; + store(c); + function get_hole() { + var b = /x/; + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = new Date(); + store(c); + function get_hole() { + var b = new Date(); + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = new Number(1); + store(c); + function get_hole() { + var b = new Number(1); + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = new Boolean(); + store(c); + function get_hole() { + var b = new Boolean(); + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = new Map(); + store(c); + function get_hole() { + var b = new Map(); + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = new Set(); + store(c); + function get_hole() { + var b = new Set(); + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = new WeakMap(); + store(c); + function get_hole() { + var b = new WeakMap(); + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); + +(function() { + function store(x) { x[0] = 0; } + store([]); + var c = new WeakSet(); + store(c); + function get_hole() { + var b = new WeakSet(); + store(b); + return b[1]; + } + assertEquals(undefined, get_hole()); + assertEquals(undefined, get_hole()); +})(); -- 2.7.4