From 2b722b663eace2d9716cd93ae4779b8e1cfa7c64 Mon Sep 17 00:00:00 2001 From: "jkummerow@chromium.org" Date: Thu, 20 Mar 2014 16:25:24 +0000 Subject: [PATCH] Fix polymorphic hydrogen handling of SLOPPY_ARGUMENTS_ELEMENTS BUG=chromium:354391 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/206073008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20137 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen.cc | 5 +++++ test/mjsunit/regress/regress-crbug-354391.js | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 test/mjsunit/regress/regress-crbug-354391.js diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 282fae7..891c714 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -6395,6 +6395,11 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess( elements_kind != GetInitialFastElementsKind()) { possible_transitioned_maps.Add(map); } + if (elements_kind == SLOPPY_ARGUMENTS_ELEMENTS) { + HInstruction* result = BuildKeyedGeneric(access_type, object, key, val); + *has_side_effects = result->HasObservableSideEffects(); + return AddInstruction(result); + } } // Get transition target for each map (NULL == no transition). for (int i = 0; i < maps->length(); ++i) { diff --git a/test/mjsunit/regress/regress-crbug-354391.js b/test/mjsunit/regress/regress-crbug-354391.js new file mode 100644 index 0000000..e652bd3 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-354391.js @@ -0,0 +1,21 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function load(a, i) { + return a[i]; +} + +function f2(a, b, c, d, index) { + return load(arguments, index); +} + +f2(1, 2, 3, 4, "foo"); +f2(1, 2, 3, 4, "foo"); +load([11, 22, 33], 0); +assertEquals(11, f2(11, 22, 33, 44, 0)); + +%OptimizeFunctionOnNextCall(load); +assertEquals(11, f2(11, 22, 33, 44, 0)); -- 2.7.4