From b90beee7f55550a946b181088f6defec3bf03df0 Mon Sep 17 00:00:00 2001 From: "hpayer@chromium.org" Date: Wed, 26 Mar 2014 08:01:20 +0000 Subject: [PATCH] Always initialize elements pointer in fast literals. BUG= R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/211103003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20262 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen.cc | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 03d4ff9..c292a17 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -9763,6 +9763,15 @@ HInstruction* HOptimizedGraphBuilder::BuildFastLiteral( HInstruction* object = Add(object_size_constant, type, pretenure_flag, instance_type, site_context->current()); + // If allocation folding reaches Page::kMaxRegularHeapObjectSize the + // elements array may not get folded into the object. Hence, we set the + // elements pointer to empty fixed array and let store elimination remove + // this store in the folding case. + HConstant* empty_fixed_array = Add( + isolate()->factory()->empty_fixed_array()); + Add(object, HObjectAccess::ForElementsPointer(), + empty_fixed_array, INITIALIZING_STORE); + BuildEmitObjectHeader(boilerplate_object, object); Handle elements(boilerplate_object->elements()); @@ -9786,14 +9795,6 @@ HInstruction* HOptimizedGraphBuilder::BuildFastLiteral( if (elements_size > 0) { HValue* object_elements_size = Add(elements_size); if (boilerplate_object->HasFastDoubleElements()) { - // Allocation folding will not be able to fold |object| and - // |object_elements| together if they are pre-tenured. - if (pretenure_flag == TENURED) { - HConstant* empty_fixed_array = Add( - isolate()->factory()->empty_fixed_array()); - Add(object, HObjectAccess::ForElementsPointer(), - empty_fixed_array); - } object_elements = Add(object_elements_size, HType::Tagged(), pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE, site_context->current()); } else { -- 2.7.4