Fix f.apply() optimization when declared arguments are mutated.

R=verwaest@chromium.org BUG=v8:2539 TEST=mjsunit/regress/regress-2539 Review URL: https://codereview.chromium.org/12255033 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13673 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix f.apply() optimization when declared arguments are mutated.
R=verwaest@chromium.org BUG=v8:2539 TEST=mjsunit/regress/regress-2539 Review URL: https://codereview.chromium.org/12255033 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13673 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
300413b5 · mstarzinger@chromium.org · c77e538e · 300413b5 · 300413b5 · 300413b5
Commit 300413b5 authored Feb 14, 2013 by mstarzinger@chromium.org
Showing with 70 additions and 13 deletions

hydrogen.cc src/hydrogen.cc +14 -11

inline-function-apply.js test/mjsunit/compiler/inline-function-apply.js +1 -2

regress-2539.js test/mjsunit/regress/regress-2539.js +55 -0

No files found.
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8004,25 +8004,28 @@ bool HOptimizedGraphBuilder::TryCallApply(Call* expr) {
    // TODO(mstarzinger): For now we just ensure arguments are pushed
    // right after HEnterInlined, but we could be smarter about this.
    EnsureArgumentsArePushedForAccess();
-    HEnvironment* arguments_env = environment()->arguments_environment();
-    int parameter_count = arguments_env->parameter_count();
+    ASSERT_EQ(environment()->arguments_environment()->parameter_count(),
+              function_state()->entry()->arguments_values()->length());
+    HEnterInlined* entry = function_state()->entry();
+    ZoneList<HValue*>* arguments_values = entry->arguments_values();
+    int arguments_count = arguments_values->length();
    PushAndAdd(new(zone()) HWrapReceiver(receiver, function));
-    for (int i = 1; i < arguments_env->parameter_count(); i++) {
-      Push(arguments_env->Lookup(i));
+    for (int i = 1; i < arguments_count; i++) {
+      Push(arguments_values->at(i));
    }

    Handle<JSFunction> known_function;
    if (function->IsConstant()) {
      HConstant* constant_function = HConstant::cast(function);
      known_function = Handle<JSFunction>::cast(constant_function->handle());
-      int arguments_count = parameter_count - 1;  // Excluding receiver.
-      if (TryInlineApply(known_function, expr, arguments_count)) return true;
+      int args_count = arguments_count - 1;  // Excluding receiver.
+      if (TryInlineApply(known_function, expr, args_count)) return true;
    }

-    Drop(parameter_count - 1);
+    Drop(arguments_count - 1);
    PushAndAdd(new(zone()) HPushArgument(Pop()));
-    for (int i = 1; i < arguments_env->parameter_count(); i++) {
-      PushAndAdd(new(zone()) HPushArgument(arguments_env->Lookup(i)));
+    for (int i = 1; i < arguments_count; i++) {
+      PushAndAdd(new(zone()) HPushArgument(arguments_values->at(i)));
    }

    HValue* context = environment()->LookupContext();
@@ -8030,8 +8033,8 @@ bool HOptimizedGraphBuilder::TryCallApply(Call* expr) {
        context,
        function,
        known_function,
-        parameter_count);
-    Drop(parameter_count);
+        arguments_count);
+    Drop(arguments_count);
    call->set_position(expr->position());
    ast_context()->ReturnInstruction(call, expr->id());
    return true;

--- a/test/mjsunit/compiler/inline-function-apply.js
+++ b/test/mjsunit/compiler/inline-function-apply.js
@@ -48,8 +48,7 @@
    }

    function B(x,y) {
-      // TODO(2539): Enable the mutation below once bug is fixed.
-      //x = 0; y = 0;
+      x = 0; y = 0;
      var r = "B" + dispatcher.func.apply(this, arguments);
      assertSame(argumentsCount, arguments.length);
      for (var i = 0; i < arguments.length; i++) {

--- a/test/mjsunit/regress/regress-2539.js
+++ b/test/mjsunit/regress/regress-2539.js
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+"use strict";
+var dispatcher = {};
+dispatcher.func = C;
+
+function A() {
+  B(10, 11);
+}
+
+function B(x,y) {
+  x = 0; y = 0;
+  dispatcher.func.apply(this, arguments);
+  assertSame(2, arguments.length);
+  assertSame(10, arguments[0]);
+  assertSame(11, arguments[1]);
+}
+
+function C(x,y) {
+  assertSame(2, arguments.length);
+  assertSame(10, arguments[0]);
+  assertSame(11, arguments[1]);
+}
+
+A();
+A();
+%OptimizeFunctionOnNextCall(A);
+A();