Issue 20726002: Fix for V8 issue 2795: Check fails with deopt for mjsunit/array-store-and-grow

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 20726002: Fix for V8 issue 2795: Check fails with deopt for mjsunit/array-store-and-grow (Closed)

Created:
7 years, 5 months ago by mvstanton

Modified:
7 years, 4 months ago

Reviewers:
Toon Verwaest

CC:
v8-dev

Base URL:
https://v8.googlecode.com/svn/branches/bleeding_edge

Visibility:
Public.

More Reviews

Description

Fix for V8 issue 2795: Check fails with deopt for mjsunit/array-store-and-grow (https://code.google.com/p/v8/issues/detail?id=2795) The reason is when allocating and building arrays in hydrogen we need to ensure we do any int32-to-smi conversions BEFORE the allocation. These conversions can at least theoretically deoptimize. If this happens before all the fields of the newly allocated object are filled in, we will have a corrupted heap. BUG= R=verwaest@chromium.org Committed: https://code.google.com/p/v8/source/detail?r=15929

Patch Set 1 #

Patch Set 2 : Added test #

Patch Set 3 : Test cleanup #

Patch Set 4 : Removed overkillin' wrapper #

Created: 7 years, 4 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+50 lines, -10 lines)			Patch
M	src/hydrogen.cc	View	1 2 3	5 chunks	+20 lines, -4 lines	0 comments	Download
M	src/hydrogen-instructions.h	View	1 2 3	2 chunks	+8 lines, -6 lines	0 comments	Download
M	test/mjsunit/array-store-and-grow.js	View	1 2 3	2 chunks	+22 lines, -0 lines	0 comments	Download

Messages

Total messages: 5 (0 generated)

Expand Messages | Collapse Messages

mvstanton

Hi Toon, here is the issue we worked on, thanks! --Michael

7 years, 5 months ago (2013-07-26 12:32:57 UTC) #1

Toon Verwaest

Can you add a regression test for the MaxGrow check, that overflows the smi range?

7 years, 5 months ago (2013-07-26 13:39:13 UTC) #2

mvstanton

7 years, 4 months ago (2013-07-29 11:50:45 UTC) #5

Message was sent while issue was closed.

Committed patchset #4 manually as r15929 (presubmit successful).

Expand Messages | Collapse Messages