Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(144)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/compiler/js-builtin-reducer.cc

Issue 2319533005: [turbofan] Ensure that all prototypes are stable for push/pop. (Closed)
Patch Set: Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-644689-1.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 the V8 project authors. All rights reserved. 1 // Copyright 2014 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/compiler/js-builtin-reducer.h" 5 #include "src/compiler/js-builtin-reducer.h"
6 6
7 #include "src/compilation-dependencies.h" 7 #include "src/compilation-dependencies.h"
8 #include "src/compiler/access-builder.h" 8 #include "src/compiler/access-builder.h"
9 #include "src/compiler/js-graph.h" 9 #include "src/compiler/js-graph.h"
10 #include "src/compiler/node-matchers.h" 10 #include "src/compiler/node-matchers.h"
(...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after
138 DCHECK_NE(DescriptorArray::kNotFound, number); 138 DCHECK_NE(DescriptorArray::kNotFound, number);
139 return descriptors->GetDetails(number).IsReadOnly(); 139 return descriptors->GetDetails(number).IsReadOnly();
140 } 140 }
141 141
142 // TODO(turbofan): This was copied from Crankshaft, might be too restrictive. 142 // TODO(turbofan): This was copied from Crankshaft, might be too restrictive.
143 bool CanInlineArrayResizeOperation(Handle<Map> receiver_map) { 143 bool CanInlineArrayResizeOperation(Handle<Map> receiver_map) {
144 Isolate* const isolate = receiver_map->GetIsolate(); 144 Isolate* const isolate = receiver_map->GetIsolate();
145 if (!receiver_map->prototype()->IsJSArray()) return false; 145 if (!receiver_map->prototype()->IsJSArray()) return false;
146 Handle<JSArray> receiver_prototype(JSArray::cast(receiver_map->prototype()), 146 Handle<JSArray> receiver_prototype(JSArray::cast(receiver_map->prototype()),
147 isolate); 147 isolate);
148 // Ensure that all prototypes of the {receiver} are stable.
149 for (PrototypeIterator it(isolate, receiver_prototype, kStartAtReceiver);
150 !it.IsAtEnd(); it.Advance()) {
151 Handle<JSReceiver> current = PrototypeIterator::GetCurrent<JSReceiver>(it);
152 if (!current->map()->is_stable()) return false;
153 }
148 return receiver_map->instance_type() == JS_ARRAY_TYPE && 154 return receiver_map->instance_type() == JS_ARRAY_TYPE &&
149 IsFastElementsKind(receiver_map->elements_kind()) && 155 IsFastElementsKind(receiver_map->elements_kind()) &&
150 !receiver_map->is_dictionary_map() && receiver_map->is_extensible() && 156 !receiver_map->is_dictionary_map() && receiver_map->is_extensible() &&
151 (!receiver_map->is_prototype_map() || receiver_map->is_stable()) && 157 (!receiver_map->is_prototype_map() || receiver_map->is_stable()) &&
152 receiver_prototype->map()->is_stable() &&
153 isolate->IsFastArrayConstructorPrototypeChainIntact() && 158 isolate->IsFastArrayConstructorPrototypeChainIntact() &&
154 isolate->IsAnyInitialArrayPrototype(receiver_prototype) && 159 isolate->IsAnyInitialArrayPrototype(receiver_prototype) &&
155 !IsReadOnlyLengthDescriptor(receiver_map); 160 !IsReadOnlyLengthDescriptor(receiver_map);
156 } 161 }
157 162
158 } // namespace 163 } // namespace
159 164
160 // ES6 section 22.1.3.17 Array.prototype.pop ( ) 165 // ES6 section 22.1.3.17 Array.prototype.pop ( )
161 Reduction JSBuiltinReducer::ReduceArrayPop(Node* node) { 166 Reduction JSBuiltinReducer::ReduceArrayPop(Node* node) {
162 Handle<Map> receiver_map; 167 Handle<Map> receiver_map;
(...skipping 1082 matching lines...) Expand 10 before | Expand all | Expand 10 after
1245 } 1250 }
1246 1251
1247 1252
1248 SimplifiedOperatorBuilder* JSBuiltinReducer::simplified() const { 1253 SimplifiedOperatorBuilder* JSBuiltinReducer::simplified() const {
1249 return jsgraph()->simplified(); 1254 return jsgraph()->simplified();
1250 } 1255 }
1251 1256
1252 } // namespace compiler 1257 } // namespace compiler
1253 } // namespace internal 1258 } // namespace internal
1254 } // namespace v8 1259 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-644689-1.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698