From d4779286b6f7c66baaff1f0932cc57bf0729815d Mon Sep 17 00:00:00 2001
From: "jkummerow@chromium.org"
 <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 14 Jul 2011 14:45:20 +0000
Subject: [PATCH] Add map check for COW elements to crankshaft array handling
 code.

BUG=1560
TEST=mjsunit/regress/regress-1560.js

Review URL: http://codereview.chromium.org/7366008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8656 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/hydrogen.cc                      | 14 ++++++++
 test/mjsunit/regress/regress-1560.js | 68 ++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 test/mjsunit/regress/regress-1560.js

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index b3f428c..57329ba 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -3925,8 +3925,16 @@ HInstruction* HGraphBuilder::BuildMonomorphicElementAccess(HValue* object,
     length = AddInstruction(new(zone()) HJSArrayLength(object));
     checked_key = AddInstruction(new(zone()) HBoundsCheck(key, length));
     AddInstruction(elements);
+    if (is_store) {
+      AddInstruction(new(zone()) HCheckMap(
+          elements, isolate()->factory()->fixed_array_map()));
+    }
   } else {
     AddInstruction(elements);
+    if (is_store) {
+      AddInstruction(new(zone()) HCheckMap(
+          elements, isolate()->factory()->fixed_array_map()));
+    }
     length = AddInstruction(new(zone()) HFixedArrayLength(elements));
     checked_key = AddInstruction(new(zone()) HBoundsCheck(key, length));
   }
@@ -4033,6 +4041,8 @@ HValue* HGraphBuilder::HandlePolymorphicElementAccess(HValue* object,
         elements = AddInstruction(new(zone()) HLoadElements(object));
         elements->ClearFlag(HValue::kUseGVN);
         if (is_store) {
+          AddInstruction(new(zone()) HCheckMap(
+              elements, isolate()->factory()->fixed_array_map()));
           access = AddInstruction(
               new(zone()) HStoreKeyedFastElement(elements, checked_key, val));
         } else {
@@ -4049,6 +4059,10 @@ HValue* HGraphBuilder::HandlePolymorphicElementAccess(HValue* object,
         set_current_block(if_fastobject);
         elements = AddInstruction(new(zone()) HLoadElements(object));
         elements->ClearFlag(HValue::kUseGVN);
+        if (is_store) {
+          AddInstruction(new(zone()) HCheckMap(
+              elements, isolate()->factory()->fixed_array_map()));
+        }
         length = AddInstruction(new(zone()) HFixedArrayLength(elements));
         checked_key = AddInstruction(new(zone()) HBoundsCheck(key, length));
         if (is_store) {
diff --git a/test/mjsunit/regress/regress-1560.js b/test/mjsunit/regress/regress-1560.js
new file mode 100644
index 0000000..a0aa7e6
--- /dev/null
+++ b/test/mjsunit/regress/regress-1560.js
@@ -0,0 +1,68 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+function mkCOWArray() {
+  var a = [''];
+  assertEquals('', a[0]);
+  return a;
+}
+
+function mkArray() {
+  var a = [];
+  a[0] = '';
+  return a;
+}
+
+function mkNumberDictionary() {
+  var a = new Array();
+  a[0] = '';
+  a[100000] = '';
+  return a;
+}
+
+function write(a, i) { a[i] = "bazinga!"; }
+
+function test(factories, w) {
+  factories.forEach(function(f) { w(f(), 0); });
+  factories.forEach(function(f) { w(f(), 0); });
+      %OptimizeFunctionOnNextCall(w);
+  factories.forEach(function(f) { w(f(), 0); });
+}
+
+// Monomorphic case.
+for (var i = 0; i < 5; i++) write(mkArray(), 0);
+%OptimizeFunctionOnNextCall(write);
+write(mkCOWArray(), 0);
+var failure = mkCOWArray();
+
+// Cleanup, then polymorphic case.
+%DeoptimizeFunction(write);
+gc();
+test([mkArray, mkNumberDictionary], write);
+test([mkArray, mkNumberDictionary, mkCOWArray], write);
-- 
2.7.4