Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(238)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/compiler/js-global-object-specialization.cc

Issue 2444233004: [compiler] Properly validate stable map assumption for globals. (Closed)
Patch Set: Unsmartify Crankshaft Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/bailout-reason.h ('k') | src/crankshaft/hydrogen.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 the V8 project authors. All rights reserved. 1 // Copyright 2015 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/compiler/js-global-object-specialization.h" 5 #include "src/compiler/js-global-object-specialization.h"
6 6
7 #include "src/compilation-dependencies.h" 7 #include "src/compilation-dependencies.h"
8 #include "src/compiler/access-builder.h" 8 #include "src/compiler/access-builder.h"
9 #include "src/compiler/common-operator.h" 9 #include "src/compiler/common-operator.h"
10 #include "src/compiler/js-graph.h" 10 #include "src/compiler/js-graph.h"
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after
189 graph()->NewNode(simplified()->CheckIf(), check, effect, control); 189 graph()->NewNode(simplified()->CheckIf(), check, effect, control);
190 break; 190 break;
191 } 191 }
192 case PropertyCellType::kConstantType: { 192 case PropertyCellType::kConstantType: {
193 // Record a code dependency on the cell, and just deoptimize if the new 193 // Record a code dependency on the cell, and just deoptimize if the new
194 // values' type doesn't match the type of the previous value in the cell. 194 // values' type doesn't match the type of the previous value in the cell.
195 dependencies()->AssumePropertyCell(property_cell); 195 dependencies()->AssumePropertyCell(property_cell);
196 Type* property_cell_value_type; 196 Type* property_cell_value_type;
197 MachineRepresentation representation = MachineRepresentation::kTagged; 197 MachineRepresentation representation = MachineRepresentation::kTagged;
198 if (property_cell_value->IsHeapObject()) { 198 if (property_cell_value->IsHeapObject()) {
199 // We cannot do anything if the {property_cell_value}s map is no
200 // longer stable.
201 Handle<Map> property_cell_value_map(
202 Handle<HeapObject>::cast(property_cell_value)->map(), isolate());
203 if (!property_cell_value_map->is_stable()) return NoChange();
204 dependencies()->AssumeMapStable(property_cell_value_map);
205
199 // Check that the {value} is a HeapObject. 206 // Check that the {value} is a HeapObject.
200 value = effect = graph()->NewNode(simplified()->CheckHeapObject(), 207 value = effect = graph()->NewNode(simplified()->CheckHeapObject(),
201 value, effect, control); 208 value, effect, control);
202 209
203 // Check {value} map agains the {property_cell} map. 210 // Check {value} map agains the {property_cell} map.
204 Handle<Map> property_cell_value_map(
205 Handle<HeapObject>::cast(property_cell_value)->map(), isolate());
206 effect = graph()->NewNode( 211 effect = graph()->NewNode(
207 simplified()->CheckMaps(1), value, 212 simplified()->CheckMaps(1), value,
208 jsgraph()->HeapConstant(property_cell_value_map), effect, control); 213 jsgraph()->HeapConstant(property_cell_value_map), effect, control);
209 property_cell_value_type = Type::OtherInternal(); 214 property_cell_value_type = Type::OtherInternal();
210 representation = MachineRepresentation::kTaggedPointer; 215 representation = MachineRepresentation::kTaggedPointer;
211 } else { 216 } else {
212 // Check that the {value} is a Smi. 217 // Check that the {value} is a Smi.
213 value = effect = 218 value = effect =
214 graph()->NewNode(simplified()->CheckSmi(), value, effect, control); 219 graph()->NewNode(simplified()->CheckSmi(), value, effect, control);
215 property_cell_value_type = Type::SignedSmall(); 220 property_cell_value_type = Type::SignedSmall();
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
275 return jsgraph()->javascript(); 280 return jsgraph()->javascript();
276 } 281 }
277 282
278 SimplifiedOperatorBuilder* JSGlobalObjectSpecialization::simplified() const { 283 SimplifiedOperatorBuilder* JSGlobalObjectSpecialization::simplified() const {
279 return jsgraph()->simplified(); 284 return jsgraph()->simplified();
280 } 285 }
281 286
282 } // namespace compiler 287 } // namespace compiler
283 } // namespace internal 288 } // namespace internal
284 } // namespace v8 289 } // namespace v8
OLDNEW
« no previous file with comments | « src/bailout-reason.h ('k') | src/crankshaft/hydrogen.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698