Fix deopts causing uninitialized fixed typed arrays.

The deopt will not happen in production code, since we check that lengths of fixed typed arrays are smis before calling TypedArrayInitialze, but that makes deopt bot happy. R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/212643016 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20324 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix deopts causing uninitialized fixed typed arrays.
The deopt will not happen in production code, since we check that lengths of fixed typed arrays are smis before calling TypedArrayInitialze, but that makes deopt bot happy. R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/212643016 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20324 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
0d1b90f8 · dslomov@chromium.org · 6781deae · 0d1b90f8 · 0d1b90f8
Commit 0d1b90f8 authored Mar 28, 2014 by dslomov@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 6 deletions

hydrogen.cc src/hydrogen.cc +10 -5

runtime.cc src/runtime.cc +2 -1

No files found.
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8510,6 +8510,10 @@ HValue* HOptimizedGraphBuilder::BuildAllocateExternalElements(
    HValue* buffer, HValue* byte_offset, HValue* length) {
  Handle<Map> external_array_map(
      isolate()->heap()->MapForExternalArrayType(array_type));
+
+  // The HForceRepresentation is to prevent possible deopt on int-smi
+  // conversion after allocation but before the new object fields are set.
+  length = AddUncasted<HForceRepresentation>(length, Representation::Smi());
  HValue* elements =
      Add<HAllocate>(
          Add<HConstant>(ExternalArray::kAlignedSize),
@@ -8518,6 +8522,8 @@ HValue* HOptimizedGraphBuilder::BuildAllocateExternalElements(
          external_array_map->instance_type());

  AddStoreMapConstant(elements, external_array_map);
+  Add<HStoreNamedField>(elements,
+      HObjectAccess::ForFixedArrayLength(), length);

  HValue* backing_store = Add<HLoadNamedField>(
      buffer, static_cast<HValue*>(NULL),
@@ -8535,13 +8541,10 @@ HValue* HOptimizedGraphBuilder::BuildAllocateExternalElements(
    typed_array_start = external_pointer;
  }

-
  Add<HStoreNamedField>(elements,
      HObjectAccess::ForExternalArrayExternalPointer(),
      typed_array_start);

-  Add<HStoreNamedField>(elements,
-      HObjectAccess::ForFixedArrayLength(), length);
  return elements;
 }

@@ -8565,6 +8568,9 @@ HValue* HOptimizedGraphBuilder::BuildAllocateFixedTypedArray(
    total_size->ClearFlag(HValue::kCanOverflow);
  }

+  // The HForceRepresentation is to prevent possible deopt on int-smi
+  // conversion after allocation but before the new object fields are set.
+  length = AddUncasted<HForceRepresentation>(length, Representation::Smi());
  Handle<Map> fixed_typed_array_map(
      isolate()->heap()->MapForFixedTypedArray(array_type));
  HValue* elements =
@@ -8576,6 +8582,7 @@ HValue* HOptimizedGraphBuilder::BuildAllocateFixedTypedArray(
  Add<HStoreNamedField>(elements,
      HObjectAccess::ForFixedArrayLength(),
      length);
+
  HValue* filler = Add<HConstant>(static_cast<int32_t>(0));

  {
@@ -8588,8 +8595,6 @@ HValue* HOptimizedGraphBuilder::BuildAllocateFixedTypedArray(

    builder.EndBody();
  }
-  Add<HStoreNamedField>(
-      elements, HObjectAccess::ForFixedArrayLength(), length);
  return elements;
 }


--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -1236,7 +1236,8 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArraySetFastCases) {


 RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArrayMaxSizeInHeap) {
-  ASSERT_OBJECT_SIZE(FLAG_typed_array_max_size_in_heap);
+  ASSERT_OBJECT_SIZE(
+      FLAG_typed_array_max_size_in_heap + FixedTypedArrayBase::kDataOffset);
  return Smi::FromInt(FLAG_typed_array_max_size_in_heap);
 }