From 1a4482ab3f0964b8d8b45b1508bbccec2dde7fd5 Mon Sep 17 00:00:00 2001 From: "mvstanton@chromium.org" Date: Thu, 23 May 2013 13:45:33 +0000 Subject: [PATCH] Missing type cell on ia32 from bindings. Javascript constructors called from C++ code didn't have a type cell properly filled in on ia32. This showed up as a bug in webkit bindings. Re-enabled flag optimize-constructed-arrays. BUG= R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/15870002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14775 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/flag-definitions.h | 2 +- src/ia32/builtins-ia32.cc | 4 ++++ test/mjsunit/allocation-site-info.js | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/flag-definitions.h b/src/flag-definitions.h index 7b5ba1e..859487a 100644 --- a/src/flag-definitions.h +++ b/src/flag-definitions.h @@ -258,7 +258,7 @@ DEFINE_bool(unreachable_code_elimination, false, "eliminate unreachable code (hidden behind soft deopts)") DEFINE_bool(track_allocation_sites, true, "Use allocation site info to reduce transitions") -DEFINE_bool(optimize_constructed_arrays, false, +DEFINE_bool(optimize_constructed_arrays, true, "Use allocation site info on constructed arrays") DEFINE_bool(trace_osr, false, "trace on-stack replacement") DEFINE_int(stress_runs, 0, "number of stress runs") diff --git a/src/ia32/builtins-ia32.cc b/src/ia32/builtins-ia32.cc index 2b45d76..4420102 100644 --- a/src/ia32/builtins-ia32.cc +++ b/src/ia32/builtins-ia32.cc @@ -486,6 +486,10 @@ static void Generate_JSEntryTrampolineHelper(MacroAssembler* masm, // Invoke the code. if (is_construct) { + // No type feedback cell is available + Handle undefined_sentinel( + masm->isolate()->heap()->undefined_value(), masm->isolate()); + __ mov(ebx, Immediate(undefined_sentinel)); CallConstructStub stub(NO_CALL_FUNCTION_FLAGS); __ CallStub(&stub); } else { diff --git a/test/mjsunit/allocation-site-info.js b/test/mjsunit/allocation-site-info.js index d718993..4560531 100644 --- a/test/mjsunit/allocation-site-info.js +++ b/test/mjsunit/allocation-site-info.js @@ -37,7 +37,7 @@ // support_smi_only_arrays = %HasFastSmiElements(new Array(1,2,3,4,5,6,7,8)); support_smi_only_arrays = true; -optimize_constructed_arrays = false; +optimize_constructed_arrays = true; if (support_smi_only_arrays) { print("Tests include smi-only arrays."); -- 2.7.4