Skip to content

V
V8
Commit ebd16fd8 authored by mvstanton's avatar mvstanton Committed by Commit bot
Browse files
Options

Fix for v8:4380 introduced a regression in Octane crypto. 

Narrowed the scope of the fix, to make a best effort to avoid DEOPT in
case the hole is loaded, but not to permute the choice of a consolidated
load in case that effort fails.

BUG=chromium:530005
LOG=N

Review URL: https://codereview.chromium.org/1330233004

Cr-Commit-Position: refs/heads/master@{#30677}
parent aacaafd0
Show whitespace changes
Inline Side-by-side
Showing with 20 additions and 21 deletions
src/hydrogen.cc
View file @ ebd16fd8
...@@ -7452,40 +7452,39 @@ HInstruction* HOptimizedGraphBuilder::TryBuildConsolidatedElementLoad( ...@@ -7452,40 +7452,39 @@ HInstruction* HOptimizedGraphBuilder::TryBuildConsolidatedElementLoad(
: most_general_consolidated_map->elements_kind(); : most_general_consolidated_map->elements_kind();
LoadKeyedHoleMode load_mode = NEVER_RETURN_HOLE; LoadKeyedHoleMode load_mode = NEVER_RETURN_HOLE;
if (has_seen_holey_elements) { if (has_seen_holey_elements) {
if (!isolate()->IsFastArrayConstructorPrototypeChainIntact()) {
return NULL;
}
// Make sure that all of the maps we are handling have the initial array // Make sure that all of the maps we are handling have the initial array
// prototype. // prototype.
bool saw_non_array_prototype = false;
for (int i = 0; i < maps->length(); ++i) { for (int i = 0; i < maps->length(); ++i) {
Handle<Map> map = maps->at(i); Handle<Map> map = maps->at(i);
if (map->prototype() != *isolate()->initial_array_prototype()) { if (map->prototype() != *isolate()->initial_array_prototype()) {
// We can't guarantee that loading the hole is safe. The prototype may // We can't guarantee that loading the hole is safe. The prototype may
// have an element at this position. // have an element at this position.
return NULL; saw_non_array_prototype = true;
break;
} }
} }
Handle<Map> holey_map = if (!saw_non_array_prototype) {
handle(isolate()->get_initial_js_array_map(consolidated_elements_kind)); Handle<Map> holey_map = handle(
isolate()->get_initial_js_array_map(consolidated_elements_kind));
load_mode = BuildKeyedHoleMode(holey_map); load_mode = BuildKeyedHoleMode(holey_map);
if (load_mode == NEVER_RETURN_HOLE) { if (load_mode != NEVER_RETURN_HOLE) {
return NULL;
}
for (int i = 0; i < maps->length(); ++i) { for (int i = 0; i < maps->length(); ++i) {
Handle<Map> map = maps->at(i); Handle<Map> map = maps->at(i);
// The prototype check was already done for the holey map in // The prototype check was already done for the holey map in
// BuildKeyedHoleMode. // BuildKeyedHoleMode.
if (!map.is_identical_to(holey_map)) { if (!map.is_identical_to(holey_map)) {
Handle<JSObject> prototype(JSObject::cast(map->prototype()), isolate()); Handle<JSObject> prototype(JSObject::cast(map->prototype()),
isolate());
Handle<JSObject> object_prototype = Handle<JSObject> object_prototype =
isolate()->initial_object_prototype(); isolate()->initial_object_prototype();
BuildCheckPrototypeMaps(prototype, object_prototype); BuildCheckPrototypeMaps(prototype, object_prototype);
} }
} }
} }
}
}
HInstruction* instr = BuildUncheckedMonomorphicElementAccess( HInstruction* instr = BuildUncheckedMonomorphicElementAccess(
checked_object, key, val, checked_object, key, val,
most_general_consolidated_map->instance_type() == JS_ARRAY_TYPE, most_general_consolidated_map->instance_type() == JS_ARRAY_TYPE,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment