Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(882)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins.cc

Issue 15993012: Allocation type info advice consumed in bailout path leads to assert failure. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Code comments and bugfix Created 7 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | test/mjsunit/allocation-site-info.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after
202 bool no_caller_args = args.length() == 2; 202 bool no_caller_args = args.length() == 2;
203 ASSERT(no_caller_args || args.length() == 3); 203 ASSERT(no_caller_args || args.length() == 3);
204 int parameters_start = no_caller_args ? 0 : 1; 204 int parameters_start = no_caller_args ? 0 : 1;
205 Arguments* caller_args = no_caller_args 205 Arguments* caller_args = no_caller_args
206 ? &empty_args 206 ? &empty_args
207 : reinterpret_cast<Arguments*>(args[0]); 207 : reinterpret_cast<Arguments*>(args[0]);
208 Handle<JSFunction> constructor = args.at<JSFunction>(parameters_start); 208 Handle<JSFunction> constructor = args.at<JSFunction>(parameters_start);
209 Handle<Object> type_info = args.at<Object>(parameters_start + 1); 209 Handle<Object> type_info = args.at<Object>(parameters_start + 1);
210 210
211 bool holey = false; 211 bool holey = false;
212 if (caller_args->length() == 1 && (*caller_args)[0]->IsSmi()) { 212 bool ignore_type_feedback = false;
danno 2013/06/05 11:31:13 Last comment: I think the logic makes a little mor
mvstanton 2013/06/06 09:23:33 Done.
213 int value = Smi::cast((*caller_args)[0])->value(); 213 if (caller_args->length() == 1) {
214 holey = (value > 0 && value < JSObject::kInitialMaxFastElementArray); 214 Object* argument_one = (*caller_args)[0];
215 if (argument_one->IsSmi()) {
216 int value = Smi::cast(argument_one)->value();
217 if (value < 0 || value >= JSObject::kInitialMaxFastElementArray) {
218 // the array is a dictionary in this case.
219 ignore_type_feedback = true;
220 } else if (value != 0) {
221 holey = true;
222 }
223 } else {
224 // Non-smi length argument produces a dictionary
225 ignore_type_feedback = true;
226 }
215 } 227 }
216 228
217 JSArray* array; 229 JSArray* array;
218 MaybeObject* maybe_array; 230 MaybeObject* maybe_array;
219 if (*type_info != isolate->heap()->undefined_value() && 231 if (*type_info != isolate->heap()->undefined_value() &&
220 JSGlobalPropertyCell::cast(*type_info)->value()->IsSmi()) { 232 JSGlobalPropertyCell::cast(*type_info)->value()->IsSmi() &&
233 !ignore_type_feedback) {
221 JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(*type_info); 234 JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(*type_info);
222 Smi* smi = Smi::cast(cell->value()); 235 Smi* smi = Smi::cast(cell->value());
223 ElementsKind to_kind = static_cast<ElementsKind>(smi->value()); 236 ElementsKind to_kind = static_cast<ElementsKind>(smi->value());
224 if (holey && !IsFastHoleyElementsKind(to_kind)) { 237 if (holey && !IsFastHoleyElementsKind(to_kind)) {
225 to_kind = GetHoleyElementsKind(to_kind); 238 to_kind = GetHoleyElementsKind(to_kind);
226 // Update the allocation site info to reflect the advice alteration. 239 // Update the allocation site info to reflect the advice alteration.
227 cell->set_value(Smi::FromInt(to_kind)); 240 cell->set_value(Smi::FromInt(to_kind));
228 } 241 }
229 242
230 maybe_array = isolate->heap()->AllocateJSObjectWithAllocationSite( 243 maybe_array = isolate->heap()->AllocateJSObjectWithAllocationSite(
(...skipping 1652 matching lines...) Expand 10 before | Expand all | Expand 10 after
1883 return Handle<Code>(code_address); \ 1896 return Handle<Code>(code_address); \
1884 } 1897 }
1885 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C) 1898 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C)
1886 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A) 1899 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A)
1887 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) 1900 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
1888 #undef DEFINE_BUILTIN_ACCESSOR_C 1901 #undef DEFINE_BUILTIN_ACCESSOR_C
1889 #undef DEFINE_BUILTIN_ACCESSOR_A 1902 #undef DEFINE_BUILTIN_ACCESSOR_A
1890 1903
1891 1904
1892 } } // namespace v8::internal 1905 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/allocation-site-info.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698