[TurboFan] Array.prototype.map wrong ElementsKind for output array.

Bug: chromium:941743 Change-Id: Ic8f72bb39be43096373407ef0ec99391bbee217f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526018Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#60282}

[TurboFan] Array.prototype.map wrong ElementsKind for output array.
Bug: chromium:941743 Change-Id: Ic8f72bb39be43096373407ef0ec99391bbee217f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526018Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#60282}
96de5eeb · Mike Stanton · Commit Bot · d7cd9051 · 96de5eeb · 96de5eeb
Commit 96de5eeb authored Mar 18, 2019 by Mike Stanton Committed by Commit Bot Mar 18, 2019
Showing with 38 additions and 0 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +7 -0

mjsunit.status test/mjsunit/mjsunit.status +3 -0

regress-crbug-941743.js test/mjsunit/regress/regress-crbug-941743.js +28 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -1538,6 +1538,13 @@ Reduction JSCallReducer::ReduceArrayMap(Node* node,
      simplified()->LoadField(AccessBuilder::ForJSArrayLength(kind)), receiver,
      effect, control);

+  // If the array length >= kMaxFastArrayLength, then CreateArray
+  // will create a dictionary. We should deopt in this case, and make sure
+  // not to attempt inlining again.
+  original_length = effect = graph()->NewNode(
+      simplified()->CheckBounds(p.feedback()), original_length,
+      jsgraph()->Constant(JSArray::kMaxFastArrayLength), effect, control);
+
  // Even though {JSCreateArray} is not marked as {kNoThrow}, we can elide the
  // exceptional projections because it cannot throw with the given parameters.
  Node* a = control = effect = graph()->NewNode(

--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -77,6 +77,9 @@
  # Too slow in debug mode and under turbofan.
  'regress/regress-4595': [PASS, NO_VARIANTS, ['mode == debug', SKIP]],

+  # Too slow in debug mode, due to large allocations.
+  'regress/regress-crbug-941743': [PASS, ['mode == debug', SKIP]],
+
  ##############################################################################
  # Only RegExp stuff tested, no need for extensive optimizing compiler tests.
  'regexp-global': [PASS, NO_VARIANTS],

--- a/test/mjsunit/regress/regress-crbug-941743.js
+++ b/test/mjsunit/regress/regress-crbug-941743.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --noenable-slow-asserts
+
+// This call ensures that TurboFan won't inline array constructors.
+Array(2**30);
+
+// Set up a fast holey smi array, and generate optimized code.
+let a = [1, 2, ,,, 3];
+function mapping(a) {
+  return a.map(v => v);
+}
+mapping(a);
+mapping(a);
+%OptimizeFunctionOnNextCall(mapping);
+mapping(a);
+
+// Now lengthen the array, but ensure that it points to a non-dictionary
+// backing store.
+a.length = (32 * 1024 * 1024)-1;
+a.fill(1,0);
+a.push(2);
+a.length += 500;
+// Now, the non-inlined array constructor should produce an array with
+// dictionary elements: causing a crash.
+mapping(a);