Reland "[ic] Fix typo in Runtime_CloneObjectIC_Miss."

This is a reland of 823795fc, the reason for the revert was flushing out a bug that was now fixed independently in https://chromium-review.googlesource.com/c/v8/v8/+/1655307 Drive-by-fix: Correct wrong offset in CloneObjectIC fast-path. Original change's description: > [ic] Fix typo in Runtime_CloneObjectIC_Miss. > > https://chromium-review.googlesource.com/1649554 introduced a typo into > Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS > the source map is deprecated, which is the wrong way around of course. > > Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343 > Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291 > Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> > Commit-Queue: Toon Verwaest <verwaest@chromium.org> > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > Cr-Commit-Position: refs/heads/master@{#62106} Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343 Change-Id: I763d9eeab95043bed3bc4849fc3ddcda7787169a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655651 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#62133}

Reland "[ic] Fix typo in Runtime_CloneObjectIC_Miss."
This is a reland of 823795fc, the reason for the revert was flushing out a bug that was now fixed independently in https://chromium-review.googlesource.com/c/v8/v8/+/1655307 Drive-by-fix: Correct wrong offset in CloneObjectIC fast-path. Original change's description: > [ic] Fix typo in Runtime_CloneObjectIC_Miss. > > https://chromium-review.googlesource.com/1649554 introduced a typo into > Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS > the source map is deprecated, which is the wrong way around of course. > > Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343 > Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291 > Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> > Commit-Queue: Toon Verwaest <verwaest@chromium.org> > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > Cr-Commit-Position: refs/heads/master@{#62106} Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343 Change-Id: I763d9eeab95043bed3bc4849fc3ddcda7787169a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655651 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#62133}
44b5a524 · Benedikt Meurer · Commit Bot · 4e3b1874 · 44b5a524 · 44b5a524
Commit 44b5a524 authored Jun 13, 2019 by Benedikt Meurer Committed by Commit Bot Jun 13, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

accessor-assembler.cc src/ic/accessor-assembler.cc +3 -2

ic.cc src/ic/ic.cc +1 -1

No files found.
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@@ -3782,10 +3782,11 @@ void AccessorAssembler::GenerateCloneObjectIC() {
    // objects, i.e. never hits undefined values in double fields.
    if (!FLAG_unbox_double_fields) {
      BuildFastLoop(
-          result_start, source_size,
+          source_start, source_size,
          [=](Node* field_index) {
            TNode<IntPtrT> result_offset =
-                TimesTaggedSize(UncheckedCast<IntPtrT>(field_index));
+                IntPtrAdd(TimesTaggedSize(UncheckedCast<IntPtrT>(field_index)),
+                          field_offset_difference);
            TNode<Object> field = LoadObjectField(object, result_offset);
            Label if_done(this), if_mutableheapnumber(this, Label::kDeferred);
            GotoIf(TaggedIsSmi(field), &if_done);

--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2603,7 +2603,7 @@ RUNTIME_FUNCTION(Runtime_CloneObjectIC_Miss) {
  Handle<Object> source = args.at<Object>(0);
  int flags = args.smi_at(1);

-  if (MigrateDeprecated(isolate, source)) {
+  if (!MigrateDeprecated(isolate, source)) {
    FeedbackSlot slot = FeedbackVector::ToSlot(args.smi_at(2));
    Handle<HeapObject> maybe_vector = args.at<HeapObject>(3);
    if (maybe_vector->IsFeedbackVector()) {