Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins.cc

Issue 15993012: Allocation type info advice consumed in bailout path leads to assert failure. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Addressed comment Created 7 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | test/mjsunit/allocation-site-info.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after
193 return isolate->heap()->undefined_value(); 193 return isolate->heap()->undefined_value();
194 } 194 }
195 195
196 196
197 static MaybeObject* ArrayConstructorStubFailureCommon( 197 static MaybeObject* ArrayConstructorStubFailureCommon(
198 Isolate* isolate, 198 Isolate* isolate,
199 Handle<JSFunction> constructor, 199 Handle<JSFunction> constructor,
200 Handle<Object> type_info, 200 Handle<Object> type_info,
201 Arguments* caller_args) { 201 Arguments* caller_args) {
202 bool holey = false; 202 bool holey = false;
203 if (caller_args->length() == 1 && (*caller_args)[0]->IsSmi()) { 203 bool can_use_type_feedback = true;
204 int value = Smi::cast((*caller_args)[0])->value(); 204 if (caller_args->length() == 1) {
205 holey = (value > 0 && value < JSObject::kInitialMaxFastElementArray); 205 Object* argument_one = (*caller_args)[0];
206 if (argument_one->IsSmi()) {
207 int value = Smi::cast(argument_one)->value();
208 if (value < 0 || value >= JSObject::kInitialMaxFastElementArray) {
209 // the array is a dictionary in this case.
210 can_use_type_feedback = false;
211 } else if (value != 0) {
212 holey = true;
213 }
214 } else {
215 // Non-smi length argument produces a dictionary
216 can_use_type_feedback = false;
217 }
206 } 218 }
207 219
208 JSArray* array; 220 JSArray* array;
209 MaybeObject* maybe_array; 221 MaybeObject* maybe_array;
210 if (!type_info.is_null() && 222 if (!type_info.is_null() &&
211 *type_info != isolate->heap()->undefined_value() && 223 *type_info != isolate->heap()->undefined_value() &&
212 JSGlobalPropertyCell::cast(*type_info)->value()->IsSmi()) { 224 JSGlobalPropertyCell::cast(*type_info)->value()->IsSmi() &&
225 can_use_type_feedback) {
213 JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(*type_info); 226 JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(*type_info);
214 Smi* smi = Smi::cast(cell->value()); 227 Smi* smi = Smi::cast(cell->value());
215 ElementsKind to_kind = static_cast<ElementsKind>(smi->value()); 228 ElementsKind to_kind = static_cast<ElementsKind>(smi->value());
216 if (holey && !IsFastHoleyElementsKind(to_kind)) { 229 if (holey && !IsFastHoleyElementsKind(to_kind)) {
217 to_kind = GetHoleyElementsKind(to_kind); 230 to_kind = GetHoleyElementsKind(to_kind);
218 // Update the allocation site info to reflect the advice alteration. 231 // Update the allocation site info to reflect the advice alteration.
219 cell->set_value(Smi::FromInt(to_kind)); 232 cell->set_value(Smi::FromInt(to_kind));
220 } 233 }
221 234
222 maybe_array = isolate->heap()->AllocateJSObjectWithAllocationSite( 235 maybe_array = isolate->heap()->AllocateJSObjectWithAllocationSite(
(...skipping 1689 matching lines...) Expand 10 before | Expand all | Expand 10 after
1912 return Handle<Code>(code_address); \ 1925 return Handle<Code>(code_address); \
1913 } 1926 }
1914 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C) 1927 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C)
1915 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A) 1928 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A)
1916 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) 1929 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
1917 #undef DEFINE_BUILTIN_ACCESSOR_C 1930 #undef DEFINE_BUILTIN_ACCESSOR_C
1918 #undef DEFINE_BUILTIN_ACCESSOR_A 1931 #undef DEFINE_BUILTIN_ACCESSOR_A
1919 1932
1920 1933
1921 } } // namespace v8::internal 1934 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/allocation-site-info.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698