[ic] Filter out deprecated maps from polymorphic keyed ICs.

BUG=chromium:715862 Change-Id: I072ad02ca3ff2fce67c05e0e27708da9763bec44 Reviewed-on: https://chromium-review.googlesource.com/490106Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#44969}

[ic] Filter out deprecated maps from polymorphic keyed ICs.
BUG=chromium:715862 Change-Id: I072ad02ca3ff2fce67c05e0e27708da9763bec44 Reviewed-on: https://chromium-review.googlesource.com/490106Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#44969}
0655ee8f · Igor Sheludko · Commit Bot · 7d8e5774 · 0655ee8f · 0655ee8f
Commit 0655ee8f authored Apr 28, 2017 by Igor Sheludko Committed by Commit Bot Apr 28, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 2 deletions

ic.cc src/ic/ic.cc +25 -2

regress-crbug-715862.js test/mjsunit/regress/regress-crbug-715862.js +17 -0

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1372,7 +1372,13 @@ void KeyedLoadIC::UpdateLoadElement(Handle<HeapObject> receiver) {

  List<Handle<Object>> handlers(target_receiver_maps.length());
  LoadElementPolymorphicHandlers(&target_receiver_maps, &handlers);
-  ConfigureVectorState(Handle<Name>(), &target_receiver_maps, &handlers);
+  DCHECK_LE(1, target_receiver_maps.length());
+  if (target_receiver_maps.length() == 1) {
+    ConfigureVectorState(Handle<Name>(), target_receiver_maps.at(0),
+                         handlers.at(0));
+  } else {
+    ConfigureVectorState(Handle<Name>(), &target_receiver_maps, &handlers);
+  }
 }

 Handle<Object> KeyedLoadIC::LoadElementHandler(Handle<Map> receiver_map) {
@@ -1419,6 +1425,11 @@ void KeyedLoadIC::LoadElementPolymorphicHandlers(
    MapHandleList* receiver_maps, List<Handle<Object>>* handlers) {
  for (int i = 0; i < receiver_maps->length(); ++i) {
    Handle<Map> receiver_map(receiver_maps->at(i));
+    if (receiver_map->is_deprecated()) {
+      // Filter out deprecated maps to ensure their instances get migrated.
+      receiver_maps->Remove(i--);
+      continue;
+    }

    // Mark all stable receiver maps that have elements kind transition map
    // among receiver_maps as unstable because the optimizing compilers may
@@ -2017,7 +2028,13 @@ void KeyedStoreIC::UpdateStoreElement(Handle<Map> receiver_map,

  List<Handle<Object>> handlers(target_receiver_maps.length());
  StoreElementPolymorphicHandlers(&target_receiver_maps, &handlers, store_mode);
-  ConfigureVectorState(Handle<Name>(), &target_receiver_maps, &handlers);
+  DCHECK_LE(1, target_receiver_maps.length());
+  if (target_receiver_maps.length() == 1) {
+    ConfigureVectorState(Handle<Name>(), target_receiver_maps.at(0),
+                         handlers.at(0));
+  } else {
+    ConfigureVectorState(Handle<Name>(), &target_receiver_maps, &handlers);
+  }
 }


@@ -2091,6 +2108,12 @@ void KeyedStoreIC::StoreElementPolymorphicHandlers(

  for (int i = 0; i < receiver_maps->length(); ++i) {
    Handle<Map> receiver_map(receiver_maps->at(i));
+    if (receiver_map->is_deprecated()) {
+      // Filter out deprecated maps to ensure their instances get migrated.
+      receiver_maps->Remove(i--);
+      continue;
+    }
+
    Handle<Object> handler;
    Handle<Map> transitioned_map;


--- a/test/mjsunit/regress/regress-crbug-715862.js
+++ b/test/mjsunit/regress/regress-crbug-715862.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap
+
+function f(a) {
+  a.x = 0;
+  a[1] = 0.1;
+  a.x = {};
+}
+
+f(new Array(1));
+f(new Array());
+
+%OptimizeFunctionOnNextCall(f);
+f(new Array(1));