Commit c94dcb21 authored by Georg Neis's avatar Georg Neis Committed by Commit Bot

[compiler] Don't infer receiver maps for stores.

This avoids a deopt loop.

Bug: v8:7254
Change-Id: I9ab1dfc754c5ad63c451a9e2276aa1d7eb4c27b1
Reviewed-on: https://chromium-review.googlesource.com/966065Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51994}
parent 609c0a13
......@@ -1040,7 +1040,8 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccessFromNexus(
// Extract receiver maps from the IC using the {nexus}.
MapHandles receiver_maps;
if (!ExtractReceiverMaps(receiver, effect, nexus, &receiver_maps)) {
if (!ExtractReceiverMaps(receiver, effect, nexus, access_mode,
&receiver_maps)) {
return NoChange();
} else if (receiver_maps.empty()) {
if (flags() & kBailoutOnUninitialized) {
......@@ -1440,7 +1441,8 @@ Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
// Extract receiver maps from the {nexus}.
MapHandles receiver_maps;
if (!ExtractReceiverMaps(receiver, effect, nexus, &receiver_maps)) {
if (!ExtractReceiverMaps(receiver, effect, nexus, access_mode,
&receiver_maps)) {
return NoChange();
} else if (receiver_maps.empty()) {
if (flags() & kBailoutOnUninitialized) {
......@@ -2108,6 +2110,7 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreInArrayLiteral(
Node* const index = NodeProperties::GetValueInput(node, 1);
Node* const value = NodeProperties::GetValueInput(node, 2);
Node* const effect = NodeProperties::GetEffectInput(node);
AccessMode access_mode = AccessMode::kStoreInLiteral;
// Extract receiver maps from the keyed store IC using the FeedbackNexus.
if (!p.feedback().IsValid()) return NoChange();
......@@ -2118,7 +2121,8 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreInArrayLiteral(
// Extract receiver maps from the {nexus}.
MapHandles receiver_maps;
if (!ExtractReceiverMaps(receiver, effect, nexus, &receiver_maps)) {
if (!ExtractReceiverMaps(receiver, effect, nexus, access_mode,
&receiver_maps)) {
return NoChange();
} else if (receiver_maps.empty()) {
if (flags() & kBailoutOnUninitialized) {
......@@ -2134,9 +2138,8 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreInArrayLiteral(
if (nexus.ic_state() == MEGAMORPHIC) return NoChange();
// Try to lower the element access based on the {receiver_maps}.
return ReduceElementAccess(node, index, value, receiver_maps,
AccessMode::kStoreInLiteral, STANDARD_LOAD,
store_mode);
return ReduceElementAccess(node, index, value, receiver_maps, access_mode,
STANDARD_LOAD, store_mode);
}
namespace {
......@@ -2800,11 +2803,14 @@ bool JSNativeContextSpecialization::CanTreatHoleAsUndefined(
bool JSNativeContextSpecialization::ExtractReceiverMaps(
Node* receiver, Node* effect, FeedbackNexus const& nexus,
MapHandles* receiver_maps) {
AccessMode access_mode, MapHandles* receiver_maps) {
DCHECK_EQ(0, receiver_maps->size());
if (nexus.IsUninitialized()) return true;
// See if we can infer a concrete type for the {receiver}.
if (InferReceiverMaps(receiver, effect, receiver_maps)) {
// See if we can infer a concrete type for the {receiver}. This is only safe
// for loads, because for stores we need to take transition targets into
// account.
if (access_mode == AccessMode::kLoad &&
InferReceiverMaps(receiver, effect, receiver_maps)) {
// We can assume that the {receiver} still has the inferred {receiver_maps}.
return true;
}
......
......@@ -183,7 +183,7 @@ class JSNativeContextSpecialization final : public AdvancedReducer {
// Extract receiver maps from {nexus} and filter based on {receiver} if
// possible.
bool ExtractReceiverMaps(Node* receiver, Node* effect,
FeedbackNexus const& nexus,
FeedbackNexus const& nexus, AccessMode access_mode,
MapHandles* receiver_maps);
// Try to infer maps for the given {receiver} at the current {effect}.
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
function foo(a) {
a[0];
a[1] = "";
}
foo([0,0].map(x => x));
foo([0,0].map(x => x));
%OptimizeFunctionOnNextCall(foo);
foo([0,0].map(x => x));
assertOptimized(foo);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment