HCheckFunction is needed to protect new array constructors in

crankshafted code. BUG= R=danno@chromium.org Review URL: https://codereview.chromium.org/16944006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15118 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

HCheckFunction is needed to protect new array constructors in
crankshafted code. BUG= R=danno@chromium.org Review URL: https://codereview.chromium.org/16944006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15118 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
5b2c1a50 · mvstanton@chromium.org · 24ec0171 · 5b2c1a50 · 5b2c1a50 · 5b2c1a50
Commit 5b2c1a50 authored Jun 13, 2013 by mvstanton@chromium.org
Showing with 113 additions and 3 deletions

hydrogen.cc src/hydrogen.cc +5 -2

allocation-site-info.js test/mjsunit/allocation-site-info.js +2 -1

array-constructor-feedback.js test/mjsunit/array-constructor-feedback.js +106 -0

No files found.
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8919,9 +8919,11 @@ void HOptimizedGraphBuilder::VisitCallNew(CallNew* expr) {
  } else {
    // The constructor function is both an operand to the instruction and an
    // argument to the construct call.
+    Handle<JSFunction> array_function =
+        Handle<JSFunction>(isolate()->global_context()->array_function(),
+                           isolate());
    bool use_call_new_array = FLAG_optimize_constructed_arrays &&
-        !(expr->target().is_null()) &&
-        *(expr->target()) == isolate()->global_context()->array_function();
+        expr->target().is_identical_to(array_function);

    CHECK_ALIVE(VisitArgument(expr->expression()));
    HValue* constructor = HPushArgument::cast(Top())->argument();
@@ -8929,6 +8931,7 @@ void HOptimizedGraphBuilder::VisitCallNew(CallNew* expr) {
    HCallNew* call;
    if (use_call_new_array) {
      Handle<Cell> cell = expr->allocation_info_cell();
+      AddInstruction(new(zone()) HCheckFunction(constructor, array_function));
      call = new(zone()) HCallNewArray(context, constructor, argument_count,
                                       cell);
    } else {

--- a/test/mjsunit/allocation-site-info.js
+++ b/test/mjsunit/allocation-site-info.js
@@ -315,7 +315,8 @@ if (support_smi_only_arrays) {
    instanceof_check(realmBArray);
    %OptimizeFunctionOnNextCall(instanceof_check);
    instanceof_check(Array);
-    instanceof_check(realmBArray);
    assertTrue(2 != %GetOptimizationStatus(instanceof_check));
+    instanceof_check(realmBArray);
+    assertTrue(1 != %GetOptimizationStatus(instanceof_check));
  }
 }
--- a/test/mjsunit/array-constructor-feedback.js
+++ b/test/mjsunit/array-constructor-feedback.js
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax --smi-only-arrays --expose-gc
+// Flags: --track-allocation-sites --noalways-opt
+
+// Test element kind of objects.
+// Since --smi-only-arrays affects builtins, its default setting at compile
+// time sticks if built with snapshot.  If --smi-only-arrays is deactivated
+// by default, only a no-snapshot build actually has smi-only arrays enabled
+// in this test case.  Depending on whether smi-only arrays are actually
+// enabled, this test takes the appropriate code path to check smi-only arrays.
+
+// support_smi_only_arrays = %HasFastSmiElements(new Array(1,2,3,4,5,6,7,8));
+support_smi_only_arrays = true;
+optimize_constructed_arrays = true;
+
+if (support_smi_only_arrays) {
+  print("Tests include smi-only arrays.");
+} else {
+  print("Tests do NOT include smi-only arrays.");
+}
+
+if (optimize_constructed_arrays) {
+  print("Tests include constructed array optimizations.");
+} else {
+  print("Tests do NOT include constructed array optimizations.");
+}
+
+var elements_kind = {
+  fast_smi_only            :  'fast smi only elements',
+  fast                     :  'fast elements',
+  fast_double              :  'fast double elements',
+  dictionary               :  'dictionary elements',
+  external_byte            :  'external byte elements',
+  external_unsigned_byte   :  'external unsigned byte elements',
+  external_short           :  'external short elements',
+  external_unsigned_short  :  'external unsigned short elements',
+  external_int             :  'external int elements',
+  external_unsigned_int    :  'external unsigned int elements',
+  external_float           :  'external float elements',
+  external_double          :  'external double elements',
+  external_pixel           :  'external pixel elements'
+}
+
+function getKind(obj) {
+  if (%HasFastSmiElements(obj)) return elements_kind.fast_smi_only;
+  if (%HasFastObjectElements(obj)) return elements_kind.fast;
+  if (%HasFastDoubleElements(obj)) return elements_kind.fast_double;
+  if (%HasDictionaryElements(obj)) return elements_kind.dictionary;
+}
+
+function isHoley(obj) {
+  if (%HasFastHoleyElements(obj)) return true;
+  return false;
+}
+
+function assertKind(expected, obj, name_opt) {
+  if (!support_smi_only_arrays &&
+      expected == elements_kind.fast_smi_only) {
+    expected = elements_kind.fast;
+  }
+  assertEquals(expected, getKind(obj), name_opt);
+}
+
+if (support_smi_only_arrays && optimize_constructed_arrays) {
+  function bar0(t) {
+    return new t();
+  }
+
+  a = bar0(Array);
+  a[0] = 3.5;
+  b = bar0(Array);
+  assertKind(elements_kind.fast_double, b);
+  %OptimizeFunctionOnNextCall(bar0);
+  b = bar0(Array);
+  assertKind(elements_kind.fast_double, b);
+  assertTrue(2 != %GetOptimizationStatus(bar0));
+  // bar0 should deopt
+  b = bar0(Object);
+  assertTrue(1 != %GetOptimizationStatus(bar0));
+}