From bc4d7878e6ac17e3df184640c352ca5489095d5c Mon Sep 17 00:00:00 2001 From: "ulan@chromium.org" Date: Tue, 23 Apr 2013 15:28:44 +0000 Subject: [PATCH] Do not emit Simulates in HandlePolymorphicElementAccess. BUG=v8:2653 R=jkummerow@chromium.org TEST=mjsunit/regress/regress-2653.js Review URL: https://chromiumcodereview.appspot.com/14081025 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen.cc | 9 ++++--- test/mjsunit/regress/regress-2653.js | 47 ++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 test/mjsunit/regress/regress-2653.js diff --git a/src/hydrogen.cc b/src/hydrogen.cc index f21fd42..20e1d0d 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -7690,10 +7690,12 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess( } *has_side_effects |= access->HasObservableSideEffects(); + // The caller will use has_side_effects and add correct Simulate. + access->SetFlag(HValue::kHasNoObservableSideEffects); if (position != -1) { access->set_position(position); } - if_jsarray->Goto(join); + if_jsarray->GotoNoSimulate(join); set_current_block(if_fastobject); length = AddInstruction(new(zone()) HFixedArrayBaseLength(elements)); @@ -7713,18 +7715,19 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess( elements_kind_branch, elements_kind, is_store)); } *has_side_effects |= access->HasObservableSideEffects(); + // The caller will use has_side_effects and add correct Simulate. + access->SetFlag(HValue::kHasNoObservableSideEffects); if (position != RelocInfo::kNoPosition) access->set_position(position); if (!is_store) { Push(access); } - current_block()->Goto(join); + current_block()->GotoNoSimulate(join); set_current_block(if_false); } } // Deopt if none of the cases matched. current_block()->FinishExitWithDeoptimization(HDeoptimize::kNoUses); - join->SetJoinId(ast_id); set_current_block(join); return is_store ? NULL : Pop(); } diff --git a/test/mjsunit/regress/regress-2653.js b/test/mjsunit/regress/regress-2653.js new file mode 100644 index 0000000..eb0c631 --- /dev/null +++ b/test/mjsunit/regress/regress-2653.js @@ -0,0 +1,47 @@ +// Copyright 2013 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax --deopt_every_n_garbage_collections=1 + +function foo(a, b) { + var l = a.length; + var array = new Array(l); + for (var k = 0; k < l; k++) { + array[k] = 120; + } + var result = new Array(l); + for (var i = 0; i < l; i++) { + result[i] = array[i]; + } + return result; +} + +a = "xxxxxxxxxxxxxxxxxxxxxxxxx"; +while (a.length < 100000) a = a + a; +foo(a, []); +%OptimizeFunctionOnNextCall(foo) +foo(a, []); -- 2.7.4