[turbofan] Fix deopt loop in out-of-bounds string element access.

We need to check the KeyedLoadIC state to guard against potential deoptimization loops due to out-of-bounds accesses, because the IC system uses the MEGAMORPHIC state to also signal that there was an out-of-bounds access already. R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2443893002 Cr-Commit-Position: refs/heads/master@{#40525}

[turbofan] Fix deopt loop in out-of-bounds string element access.
We need to check the KeyedLoadIC state to guard against potential deoptimization loops due to out-of-bounds accesses, because the IC system uses the MEGAMORPHIC state to also signal that there was an out-of-bounds access already. R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2443893002 Cr-Commit-Position: refs/heads/master@{#40525}
6c5fa8b4 · bmeurer · Commit bot · c2a5dc81 · 6c5fa8b4 · 6c5fa8b4
Commit 6c5fa8b4 authored Oct 24, 2016 by bmeurer Committed by Commit bot Oct 24, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 3 deletions

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +9 -3

deopt-string-outofbounds.js test/mjsunit/compiler/deopt-string-outofbounds.js +31 -0

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -682,9 +682,9 @@ Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
    Handle<String> string = Handle<String>::cast(mreceiver.Value());

    // We can only assume that the {index} is a valid array index if the IC
-    // is in element access mode, otherwise there's no guard for the bounds
-    // check below.
-    if (nexus.GetKeyType() == ELEMENT) {
+    // is in element access mode and not MEGAMORPHIC, otherwise there's no
+    // guard for the bounds check below.
+    if (nexus.ic_state() != MEGAMORPHIC && nexus.GetKeyType() == ELEMENT) {
      // Strings are immutable in JavaScript.
      if (access_mode == AccessMode::kStore) return NoChange();

@@ -760,6 +760,12 @@ Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
    // that the {index} is a valid array index, thus we just let the IC continue
    // to deal with this load/store.
    return NoChange();
+  } else if (nexus.ic_state() == MEGAMORPHIC) {
+    // The KeyedLoad/StoreIC uses the MEGAMORPHIC state to guard the assumption
+    // that a numeric {index} is within the valid bounds for {receiver}, i.e.
+    // it transitions to MEGAMORPHIC once it sees an out-of-bounds access. Thus
+    // we cannot continue here if the IC state is MEGAMORPHIC.
+    return NoChange();
  }

  // Try to lower the element access based on the {receiver_maps}.

--- a/test/mjsunit/compiler/deopt-string-outofbounds.js
+++ b/test/mjsunit/compiler/deopt-string-outofbounds.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var s = "12345";
+
+(function() {
+  function foo() { return s[5]; }
+
+  foo();
+  foo();
+  %OptimizeFunctionOnNextCall(foo);
+  foo();
+  %OptimizeFunctionOnNextCall(foo);
+  foo();
+  assertOptimized(foo);
+})();
+
+(function() {
+  function foo(i) { return s[i]; }
+
+  foo(0);
+  foo(1);
+  %OptimizeFunctionOnNextCall(foo);
+  foo(5);
+  %OptimizeFunctionOnNextCall(foo);
+  foo(5);
+  assertOptimized(foo);
+})();