Fix for V8 issue 2795: Check fails with deopt for mjsunit/array-store-and-grow

src/hydrogen.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 1060 matching lines @@
   HValue* current_capacity = AddLoadFixedArrayLength(elements);
 
   IfBuilder capacity_checker(this);
 
   capacity_checker.If<HCompareNumericAndBranch>(key, current_capacity,
                                                 Token::GTE);
   capacity_checker.Then();
 
   HValue* context = environment()->LookupContext();
 
+  HValue* max_gap = Add<HConstant>(static_cast<int32_t>(JSObject::kMaxGap));
+  HValue* max_capacity = AddInstruction(
+      HAdd::New(zone, context, current_capacity, max_gap));
+  IfBuilder key_checker(this);
+  key_checker.If<HCompareNumericAndBranch>(key, max_capacity, Token::LT);
+  key_checker.Then();
+  key_checker.ElseDeopt();
+  key_checker.End();
+
   HValue* new_capacity = BuildNewElementsCapacity(context, key);
-
   HValue* new_elements = BuildGrowElementsCapacity(object, elements,
                                                    kind, kind, length,
                                                    new_capacity);
 
   environment()->Push(new_elements);
   capacity_checker.Else();
 
   environment()->Push(elements);
   capacity_checker.End();
 
@@ skipping 237 matching lines @@
 
   AddStoreMapConstant(elements, map);
   AddStore(elements, HObjectAccess::ForFixedArrayLength(), capacity);
 }
 
 
 HValue* HGraphBuilder::BuildAllocateElementsAndInitializeElementsHeader(
     HValue* context,
     ElementsKind kind,
     HValue* capacity) {
+  // The HForceRepresentation is to prevent possible deopt on int-smi
+  // conversion after allocation but before the new object fields are set.
+  capacity = Add<HForceRepresentation>(capacity, Representation::Smi());
   HValue* new_elements = BuildAllocateElements(context, kind, capacity);
   BuildInitializeElementsHeader(new_elements, kind, capacity);
   return new_elements;
 }
 
 
 HInnerAllocatedObject* HGraphBuilder::BuildJSArrayHeader(HValue* array,
     HValue* array_map,
     AllocationSiteMode mode,
     ElementsKind elements_kind,
@@ skipping 117 matching lines @@
   return AddLoad(object, HObjectAccess::ForFixedArrayLength());
 }
 
 
 HValue* HGraphBuilder::BuildNewElementsCapacity(HValue* context,
                                                 HValue* old_capacity) {
   Zone* zone = this->zone();
   HValue* half_old_capacity =
       AddInstruction(HShr::New(zone, context, old_capacity,
                                graph_->GetConstant1()));
-  half_old_capacity->ClearFlag(HValue::kCanOverflow);
 
   HValue* new_capacity = AddInstruction(
       HAdd::New(zone, context, half_old_capacity, old_capacity));
   new_capacity->ClearFlag(HValue::kCanOverflow);
 
   HValue* min_growth = Add<HConstant>(16);
 
   new_capacity = AddInstruction(
       HAdd::New(zone, context, new_capacity, min_growth));
   new_capacity->ClearFlag(HValue::kCanOverflow);
 
   return new_capacity;
 }
 
 
 void HGraphBuilder::BuildNewSpaceArrayCheck(HValue* length, ElementsKind kind) {
   Heap* heap = isolate()->heap();
   int element_size = IsFastDoubleElementsKind(kind) ? kDoubleSize
                                                     : kPointerSize;
   int max_size = heap->MaxRegularSpaceAllocationSize() / element_size;
   max_size -= JSArray::kSize / element_size;
   HConstant* max_size_constant = Add<HConstant>(max_size);
-  // Since we're forcing Integer32 representation for this HBoundsCheck,
-  // there's no need to Smi-check the index.
   Add<HBoundsCheck>(length, max_size_constant);
 }
 
 
 HValue* HGraphBuilder::BuildGrowElementsCapacity(HValue* object,
                                                  HValue* elements,
                                                  ElementsKind kind,
                                                  ElementsKind new_kind,
                                                  HValue* length,
                                                  HValue* new_capacity) {
@@ skipping 408 matching lines @@
   return AllocateArray(size_in_bytes, capacity, length_field, fill_with_hole);
 }
 
 
 HValue* HGraphBuilder::JSArrayBuilder::AllocateArray(HValue* size_in_bytes,
                                                      HValue* capacity,
                                                      HValue* length_field,
                                                      bool fill_with_hole) {
   HValue* context = builder()->environment()->LookupContext();
 
+  // These HForceRepresentations are because we store these as fields in the
+  // objects we construct, and an int32-to-smi HChange could deopt. Accept
+  // the deopt possibility now, before allocation occurs.
+  capacity = builder()->Add<HForceRepresentation>(capacity,
+                                                  Representation::Smi());
+  length_field = builder()->Add<HForceRepresentation>(length_field,
+                                                      Representation::Smi());
+
   // Allocate (dealing with failure appropriately)
   HAllocate::Flags flags = HAllocate::DefaultFlags(kind_);
   HAllocate* new_object = builder()->Add<HAllocate>(context, size_in_bytes,
                                                     HType::JSArray(), flags);
 
   // Fill in the fields: map, properties, length
   HValue* map;
   if (allocation_site_payload_ == NULL) {
     map = EmitInternalMapCode();
   } else {
@@ skipping 7972 matching lines @@
   if (ShouldProduceTraceOutput()) {
     isolate()->GetHTracer()->TraceHydrogen(name(), graph_);
   }
 
 #ifdef DEBUG
   graph_->Verify(false);  // No full verify.
 #endif
 }
 
 } }  // namespace v8::internal