Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(81)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1086873003: Array() in optimized code can create with wrong ElementsKind in corner cases. (Closed)

Created:
5 years, 8 months ago by mvstanton
Modified:
5 years, 8 months ago
Reviewers:
Toon Verwaest
CC:
v8-dev
Base URL:
https://chromium.googlesource.com/v8/v8.git@master
Target Ref:
refs/pending/heads/master
Project:
v8
Visibility:
Public.

Description

Array() in optimized code can create with wrong ElementsKind in corner cases. Calling new Array(JSObject::kInitialMaxFastElementArray) in optimized code makes a stub call that bails out due to the length. Currently, the bailout code a) doesn't have the allocation site, and b) wouldn't use it if it did because the length is perceived to be too high. This CL passes the allocation site to the stub call (rather than undefined), and alters the bailout code to utilize the feedback. BUG= Committed: https://crrev.com/13459c1ae3caa4cc546c522177bac5450a3252bf Cr-Commit-Position: refs/heads/master@{#27857}

Patch Set 1 #

Patch Set 2 : Ports, altered ia32 version slightly. #

Patch Set 3 : Fix a test expectation. #

Total comments: 4

Patch Set 4 : Address comments and test failure. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+106 lines, -25 lines) Patch
M src/arm/lithium-codegen-arm.cc View 1 1 chunk +8 lines, -1 line 0 comments Download
M src/arm64/lithium-codegen-arm64.cc View 1 1 chunk +9 lines, -1 line 0 comments Download
M src/hydrogen.cc View 1 chunk +1 line, -1 line 0 comments Download
M src/hydrogen-instructions.h View 2 chunks +8 lines, -6 lines 0 comments Download
M src/ia32/lithium-codegen-ia32.cc View 1 1 chunk +9 lines, -1 line 0 comments Download
M src/mips/lithium-codegen-mips.cc View 1 1 chunk +8 lines, -1 line 0 comments Download
M src/mips64/lithium-codegen-mips64.cc View 1 1 chunk +8 lines, -1 line 0 comments Download
M src/objects.h View 1 chunk +5 lines, -0 lines 0 comments Download
M src/objects.cc View 1 chunk +3 lines, -9 lines 0 comments Download
M src/objects-inl.h View 1 2 3 1 chunk +11 lines, -0 lines 0 comments Download
M src/runtime/runtime-array.cc View 1 2 3 2 chunks +8 lines, -2 lines 0 comments Download
M src/x64/lithium-codegen-x64.cc View 1 1 chunk +9 lines, -1 line 0 comments Download
M test/mjsunit/array-constructor-feedback.js View 1 2 3 1 chunk +18 lines, -0 lines 0 comments Download
M test/mjsunit/array-feedback.js View 1 2 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 9 (2 generated)
mvstanton
Hi Toon, here is the repair we discussed, have a look and I'll upload ports, ...
5 years, 8 months ago (2015-04-15 10:23:17 UTC) #2
Toon Verwaest
You have some tests failing it seems... https://codereview.chromium.org/1086873003/diff/40001/src/objects-inl.h File src/objects-inl.h (right): https://codereview.chromium.org/1086873003/diff/40001/src/objects-inl.h#newcode7210 src/objects-inl.h:7210: if (new_length_handle->IsNumber() ...
5 years, 8 months ago (2015-04-15 12:56:23 UTC) #3
mvstanton
Thx Toon, and the test failure was because we allocate such a large array, there ...
5 years, 8 months ago (2015-04-15 14:10:34 UTC) #4
Toon Verwaest
lgtm
5 years, 8 months ago (2015-04-15 15:04:30 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1086873003/60001
5 years, 8 months ago (2015-04-15 21:00:37 UTC) #7
commit-bot: I haz the power
Committed patchset #4 (id:60001)
5 years, 8 months ago (2015-04-15 21:02:21 UTC) #8
commit-bot: I haz the power
5 years, 8 months ago (2015-04-15 21:02:35 UTC) #9
Message was sent while issue was closed. 
Patchset 4 (id:??) landed as
https://crrev.com/13459c1ae3caa4cc546c522177bac5450a3252bf
Cr-Commit-Position: refs/heads/master@{#27857}

Powered by Google App Engine
This is Rietveld 408576698