From 2aa8941ad4a5b8f5d5ed53fb3f7851ce6821dc33 Mon Sep 17 00:00:00 2001 From: "danno@chromium.org" Date: Wed, 23 Apr 2014 13:20:28 +0000 Subject: [PATCH] Fix deoptimization problem with inlined Array.push() R=jarin@chromium.org LOG=N Review URL: https://codereview.chromium.org/247573008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20911 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/deoptimizer.cc | 4 +--- src/hydrogen.cc | 2 +- test/mjsunit/array-push10.js | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 test/mjsunit/array-push10.js diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc index e2fa5f3..5517dee 100644 --- a/src/deoptimizer.cc +++ b/src/deoptimizer.cc @@ -2632,13 +2632,11 @@ unsigned Deoptimizer::ComputeInputFrameSize() const { // function into account so we have to avoid double counting them. unsigned result = fixed_size + fp_to_sp_delta_ - StandardFrameConstants::kFixedFrameSizeFromFp; -#ifdef DEBUG if (compiled_code_->kind() == Code::OPTIMIZED_FUNCTION) { unsigned stack_slots = compiled_code_->stack_slots(); unsigned outgoing_size = ComputeOutgoingArgumentSize(); - ASSERT(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size); + CHECK(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size); } -#endif return result; } diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 843be65..95e190e 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -7811,6 +7811,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( HValue* value_to_push = Pop(); HValue* array = Pop(); + Drop(1); // Drop function. HInstruction* new_size = NULL; HValue* length = NULL; @@ -7832,7 +7833,6 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( Add(expr->id(), REMOVABLE_SIMULATE); } - Drop(1); // Drop function. ast_context()->ReturnValue(new_size); return true; } diff --git a/test/mjsunit/array-push10.js b/test/mjsunit/array-push10.js new file mode 100644 index 0000000..223186e --- /dev/null +++ b/test/mjsunit/array-push10.js @@ -0,0 +1,15 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +function __f_17(__v_9) { + var __v_10 = 0; + var count = 10000; + while (count-- != 0) { + __v_9.push(0); + if (++__v_10 >= 2) return __v_9; + __v_10 = {}; + } +} + +__v_14 = __f_17([]); -- 2.7.4