[stubs] Ensure that StoreTransitionStub does not bailout after the properties backing store is enla…

src/code-stubs-hydrogen.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/code-stubs.h"
 
 #include "src/bailout-reason.h"
 #include "src/crankshaft/hydrogen.h"
 #include "src/crankshaft/lithium.h"
 #include "src/field-index.h"
@@ skipping 1345 matching lines @@
   return GetParameter(2);
 }
 
 
 Handle<Code> StoreFieldStub::GenerateCode() { return DoGenerateCode(this); }
 
 
 template <>
 HValue* CodeStubGraphBuilder<StoreTransitionStub>::BuildCodeStub() {
   HValue* object = GetParameter(StoreTransitionHelper::ReceiverIndex());
+  HValue* value = GetParameter(StoreTransitionHelper::ValueIndex());
+  StoreTransitionStub::StoreMode store_mode = casted_stub()->store_mode();
 
-  switch (casted_stub()->store_mode()) {
+  if (store_mode != StoreTransitionStub::StoreMapOnly) {
+    value = GetParameter(StoreTransitionHelper::ValueIndex());
+    Representation representation = casted_stub()->representation();
+    if (representation.IsDouble()) {
+      // In case we are storing a double, assure that the value is a double
+      // before manipulating the properties backing store. Otherwise the actual
+      // store may deopt, leaving the backing store in an overallocated state.
+      value = AddUncasted<HForceRepresentation>(value, representation);
+    }
+  }
+
+  switch (store_mode) {
     case StoreTransitionStub::ExtendStorageAndStoreMapAndValue: {
       HValue* properties = Add<HLoadNamedField>(
           object, nullptr, HObjectAccess::ForPropertiesPointer());
       HValue* length = AddLoadFixedArrayLength(properties);
       HValue* delta =
           Add<HConstant>(static_cast<int32_t>(JSObject::kFieldsAdded));
       HValue* new_capacity = AddUncasted<HAdd>(length, delta);
 
       // Grow properties array.
       ElementsKind kind = FAST_ELEMENTS;
       Add<HBoundsCheck>(new_capacity,
                         Add<HConstant>((Page::kMaxRegularHeapObjectSize -
                                         FixedArray::kHeaderSize) >>
                                        ElementsKindToShiftSize(kind)));
 
       // Reuse this code for properties backing store allocation.
       HValue* new_properties =
           BuildAllocateAndInitializeArray(kind, new_capacity);
 
       BuildCopyProperties(properties, new_properties, length, new_capacity);
 
       Add<HStoreNamedField>(object, HObjectAccess::ForPropertiesPointer(),
                             new_properties);
     }
     // Fall through.
     case StoreTransitionStub::StoreMapAndValue:
       // Store the new value into the "extended" object.
-      BuildStoreNamedField(
-          object, GetParameter(StoreTransitionHelper::ValueIndex()),
-          casted_stub()->index(), casted_stub()->representation(), true);
+      BuildStoreNamedField(object, value, casted_stub()->index(),
+                           casted_stub()->representation(), true);
     // Fall through.
 
     case StoreTransitionStub::StoreMapOnly:
       // And finally update the map.
       Add<HStoreNamedField>(object, HObjectAccess::ForMap(),
                             GetParameter(StoreTransitionHelper::MapIndex()));
       break;
   }
-  return GetParameter(StoreTransitionHelper::ValueIndex());
+  return value;
 }
 
 
 Handle<Code> StoreTransitionStub::GenerateCode() {
   return DoGenerateCode(this);
 }
 
 
 template <>
 HValue* CodeStubGraphBuilder<StoreFastElementStub>::BuildCodeStub() {
@@ skipping 883 matching lines @@
   return Pop();
 }
 
 
 Handle<Code> KeyedLoadGenericStub::GenerateCode() {
   return DoGenerateCode(this);
 }
 
 }  // namespace internal
 }  // namespace v8