Fix indirect push

BUG=chromium:388665 LOG=n Review URL: https://codereview.chromium.org/1087463003 Cr-Commit-Position: refs/heads/master@{#27795}

Fix indirect push
BUG=chromium:388665 LOG=n Review URL: https://codereview.chromium.org/1087463003 Cr-Commit-Position: refs/heads/master@{#27795}
434b456b · verwaest · Commit bot · c7f40ce7 · 434b456b · 434b456b
Commit 434b456b authored Apr 13, 2015 by verwaest Committed by Commit bot Apr 13, 2015
Show whitespace changes
Inline Side-by-side

Showing with 27 additions and 15 deletions

hydrogen.cc src/hydrogen.cc +7 -15

regress-indirect-push-unchecked.js test/mjsunit/regress/regress-indirect-push-unchecked.js +20 -0

No files found.
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -2388,6 +2388,8 @@ HInstruction* HGraphBuilder::BuildUncheckedMonomorphicElementAccess(
    PropertyAccessType access_type,
    LoadKeyedHoleMode load_mode,
    KeyedAccessStoreMode store_mode) {
+  DCHECK(top_info()->IsStub() || checked_object->IsCompareMap() ||
+         checked_object->IsCheckMaps());
  DCHECK((!IsExternalArrayElementsKind(elements_kind) &&
              !IsFixedTypedArrayElementsKind(elements_kind)) ||
         !is_js_array);
@@ -8454,11 +8456,10 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
        new_size = AddUncasted<HAdd>(length, graph()->GetConstant1());

        bool is_array = receiver_map->instance_type() == JS_ARRAY_TYPE;
-        BuildUncheckedMonomorphicElementAccess(array, length,
-                                               value_to_push, is_array,
-                                               elements_kind, STORE,
-                                               NEVER_RETURN_HOLE,
-                                               STORE_AND_GROW_NO_TRANSITION);
+        HValue* checked_array = Add<HCheckMaps>(array, receiver_map);
+        BuildUncheckedMonomorphicElementAccess(
+            checked_array, length, value_to_push, is_array, elements_kind,
+            STORE, NEVER_RETURN_HOLE, STORE_AND_GROW_NO_TRANSITION);

        if (!ast_context()->IsEffect()) Push(new_size);
        Add<HSimulate>(expr->id(), REMOVABLE_SIMULATE);
@@ -8825,18 +8826,9 @@ void HOptimizedGraphBuilder::HandleIndirectCall(Call* expr, HValue* function,
  int args_count_no_receiver = arguments_count - 1;
  if (function->IsConstant() &&
      HConstant::cast(function)->handle(isolate())->IsJSFunction()) {
-    HValue* receiver = environment()->ExpressionStackAt(args_count_no_receiver);
-    Handle<Map> receiver_map;
-    if (receiver->IsConstant() &&
-        HConstant::cast(receiver)->handle(isolate())->IsHeapObject()) {
-      receiver_map =
-          handle(Handle<HeapObject>::cast(
-                     HConstant::cast(receiver)->handle(isolate()))->map());
-    }
-
    known_function =
        Handle<JSFunction>::cast(HConstant::cast(function)->handle(isolate()));
-    if (TryInlineBuiltinMethodCall(expr, known_function, receiver_map,
+    if (TryInlineBuiltinMethodCall(expr, known_function, Handle<Map>(),
                                   args_count_no_receiver)) {
      if (FLAG_trace_inlining) {
        PrintF("Inlining builtin ");

--- a/test/mjsunit/regress/regress-indirect-push-unchecked.js
+++ b/test/mjsunit/regress/regress-indirect-push-unchecked.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = [1.5];
+
+function p() {
+  Array.prototype.push.call(a, 1.7);
+}
+
+p();
+p();
+p();
+%OptimizeFunctionOnNextCall(p);
+p();
+a.push({});
+p();
+assertEquals(1.7, a[a.length - 1]);