Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(108)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/compiler/js-typed-lowering.cc

Issue 1447323005: Fix argument allocation dangling effect chains (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Account for zero arguments Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/compiler/js-typed-lowering.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/compiler/js-typed-lowering.cc
diff --git a/src/compiler/js-typed-lowering.cc b/src/compiler/js-typed-lowering.cc
index bbf314204f022a2edb6fd10a1f2c33b8dd9a73e3..efa08358e8fc0afed7c32dabbaab920ce0afb130 100644
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@@ -1467,8 +1467,10 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
FrameStateInfo args_state_info = OpParameter<FrameStateInfo>(args_state);
// Prepare element backing store to be used by arguments object.
bool has_aliased_arguments = false;
- Node* const elements = AllocateAliasedArguments(
- effect, control, args_state, context, shared, &has_aliased_arguments);
+ Node* allocate_effect = effect;
+ Node* const elements =
+ AllocateAliasedArguments(&allocate_effect, control, args_state, context,
+ shared, &has_aliased_arguments);
// Load the arguments object map from the current native context.
Node* const load_global_object = graph()->NewNode(
simplified()->LoadField(
@@ -1484,7 +1486,7 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
: Context::SLOPPY_ARGUMENTS_MAP_INDEX)),
load_native_context, effect, control);
// Actually allocate and initialize the arguments object.
- AllocationBuilder a(jsgraph(), effect, control);
+ AllocationBuilder a(jsgraph(), allocate_effect, control);
Michael Starzinger 2015/11/20 09:15:56 Instead of having the out-parameter passing, could
sigurds 2015/11/20 10:24:39 Done.
Node* properties = jsgraph()->EmptyFixedArrayConstant();
int length = args_state_info.parameter_count() - 1; // Minus receiver.
STATIC_ASSERT(Heap::kSloppyArgumentsObjectSize == 5 * kPointerSize);
@@ -1511,7 +1513,9 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
Node* const args_state = GetArgumentsFrameState(frame_state);
FrameStateInfo args_state_info = OpParameter<FrameStateInfo>(args_state);
// Prepare element backing store to be used by arguments object.
- Node* const elements = AllocateArguments(effect, control, args_state);
+ Node* allocate_effect = effect;
+ Node* const elements =
+ AllocateArguments(&allocate_effect, control, args_state);
// Load the arguments object map from the current native context.
Node* const load_global_object = graph()->NewNode(
simplified()->LoadField(
@@ -1526,7 +1530,7 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
AccessBuilder::ForContextSlot(Context::STRICT_ARGUMENTS_MAP_INDEX)),
load_native_context, effect, control);
// Actually allocate and initialize the arguments object.
- AllocationBuilder a(jsgraph(), effect, control);
+ AllocationBuilder a(jsgraph(), allocate_effect, control);
Michael Starzinger 2015/11/20 09:15:56 Likewise.
sigurds 2015/11/20 10:24:39 Done.
Node* properties = jsgraph()->EmptyFixedArrayConstant();
int length = args_state_info.parameter_count() - 1; // Minus receiver.
STATIC_ASSERT(Heap::kStrictArgumentsObjectSize == 4 * kPointerSize);
@@ -2281,7 +2285,7 @@ Node* JSTypedLowering::Word32Shl(Node* const lhs, int32_t const rhs) {
// Helper that allocates a FixedArray holding argument values recorded in the
// given {frame_state}. Serves as backing store for JSCreateArguments nodes.
-Node* JSTypedLowering::AllocateArguments(Node* effect, Node* control,
+Node* JSTypedLowering::AllocateArguments(Node** effect, Node* control,
Node* frame_state) {
FrameStateInfo state_info = OpParameter<FrameStateInfo>(frame_state);
int argument_count = state_info.parameter_count() - 1; // Minus receiver.
@@ -2293,12 +2297,12 @@ Node* JSTypedLowering::AllocateArguments(Node* effect, Node* control,
auto paratemers_it = ++parameters_access.begin();
// Actually allocate the backing store.
- AllocationBuilder a(jsgraph(), effect, control);
+ AllocationBuilder a(jsgraph(), *effect, control);
a.AllocateArray(argument_count, factory()->fixed_array_map());
for (int i = 0; i < argument_count; ++i, ++paratemers_it) {
a.Store(AccessBuilder::ForFixedArraySlot(i), (*paratemers_it).node);
}
- return a.Finish();
+ return * effect = a.Finish();
}
@@ -2306,7 +2310,7 @@ Node* JSTypedLowering::AllocateArguments(Node* effect, Node* control,
// recorded in the given {frame_state}. Some elements map to slots within the
// given {context}. Serves as backing store for JSCreateArguments nodes.
Node* JSTypedLowering::AllocateAliasedArguments(
- Node* effect, Node* control, Node* frame_state, Node* context,
+ Node** effect, Node* control, Node* frame_state, Node* context,
Handle<SharedFunctionInfo> shared, bool* has_aliased_arguments) {
FrameStateInfo state_info = OpParameter<FrameStateInfo>(frame_state);
int argument_count = state_info.parameter_count() - 1; // Minus receiver.
@@ -2331,7 +2335,7 @@ Node* JSTypedLowering::AllocateAliasedArguments(
// The unmapped argument values recorded in the frame state are stored yet
// another indirection away and then linked into the parameter map below,
// whereas mapped argument values are replaced with a hole instead.
- AllocationBuilder aa(jsgraph(), effect, control);
+ AllocationBuilder aa(jsgraph(), *effect, control);
aa.AllocateArray(argument_count, factory()->fixed_array_map());
for (int i = 0; i < mapped_count; ++i, ++paratemers_it) {
aa.Store(AccessBuilder::ForFixedArraySlot(i), jsgraph()->TheHoleConstant());
@@ -2342,7 +2346,7 @@ Node* JSTypedLowering::AllocateAliasedArguments(
Node* arguments = aa.Finish();
// Actually allocate the backing store.
- AllocationBuilder a(jsgraph(), effect, control);
+ AllocationBuilder a(jsgraph(), arguments, control);
a.AllocateArray(mapped_count + 2, factory()->sloppy_arguments_elements_map());
a.Store(AccessBuilder::ForFixedArraySlot(0), context);
a.Store(AccessBuilder::ForFixedArraySlot(1), arguments);
@@ -2350,7 +2354,7 @@ Node* JSTypedLowering::AllocateAliasedArguments(
int idx = Context::MIN_CONTEXT_SLOTS + parameter_count - 1 - i;
a.Store(AccessBuilder::ForFixedArraySlot(i + 2), jsgraph()->Constant(idx));
}
- return a.Finish();
+ return * effect = a.Finish();
}
« no previous file with comments | « src/compiler/js-typed-lowering.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698