Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(43)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/compiler/js-global-object-specialization.cc

Issue 2449243004: Merged: [compiler] Properly validate stable map assumption for globals. (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/bailout-reason.h ('k') | src/crankshaft/hydrogen.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 the V8 project authors. All rights reserved. 1 // Copyright 2015 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/compiler/js-global-object-specialization.h" 5 #include "src/compiler/js-global-object-specialization.h"
6 6
7 #include "src/compilation-dependencies.h" 7 #include "src/compilation-dependencies.h"
8 #include "src/compiler/access-builder.h" 8 #include "src/compiler/access-builder.h"
9 #include "src/compiler/common-operator.h" 9 #include "src/compiler/common-operator.h"
10 #include "src/compiler/js-graph.h" 10 #include "src/compiler/js-graph.h"
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after
199 graph()->NewNode(simplified()->CheckIf(), check, effect, control); 199 graph()->NewNode(simplified()->CheckIf(), check, effect, control);
200 break; 200 break;
201 } 201 }
202 case PropertyCellType::kConstantType: { 202 case PropertyCellType::kConstantType: {
203 // Record a code dependency on the cell, and just deoptimize if the new 203 // Record a code dependency on the cell, and just deoptimize if the new
204 // values' type doesn't match the type of the previous value in the cell. 204 // values' type doesn't match the type of the previous value in the cell.
205 dependencies()->AssumePropertyCell(property_cell); 205 dependencies()->AssumePropertyCell(property_cell);
206 Type* property_cell_value_type; 206 Type* property_cell_value_type;
207 MachineRepresentation representation = MachineRepresentation::kTagged; 207 MachineRepresentation representation = MachineRepresentation::kTagged;
208 if (property_cell_value->IsHeapObject()) { 208 if (property_cell_value->IsHeapObject()) {
209 // We cannot do anything if the {property_cell_value}s map is no
210 // longer stable.
211 Handle<Map> property_cell_value_map(
212 Handle<HeapObject>::cast(property_cell_value)->map(), isolate());
213 if (!property_cell_value_map->is_stable()) return NoChange();
214 dependencies()->AssumeMapStable(property_cell_value_map);
215
209 // Check that the {value} is a HeapObject. 216 // Check that the {value} is a HeapObject.
210 value = effect = graph()->NewNode(simplified()->CheckHeapObject(), 217 value = effect = graph()->NewNode(simplified()->CheckHeapObject(),
211 value, effect, control); 218 value, effect, control);
212 219
213 // Check {value} map agains the {property_cell} map. 220 // Check {value} map agains the {property_cell} map.
214 Handle<Map> property_cell_value_map(
215 Handle<HeapObject>::cast(property_cell_value)->map(), isolate());
216 effect = graph()->NewNode( 221 effect = graph()->NewNode(
217 simplified()->CheckMaps(1), value, 222 simplified()->CheckMaps(1), value,
218 jsgraph()->HeapConstant(property_cell_value_map), effect, control); 223 jsgraph()->HeapConstant(property_cell_value_map), effect, control);
219 property_cell_value_type = Type::OtherInternal(); 224 property_cell_value_type = Type::OtherInternal();
220 representation = MachineRepresentation::kTaggedPointer; 225 representation = MachineRepresentation::kTaggedPointer;
221 } else { 226 } else {
222 // Check that the {value} is a Smi. 227 // Check that the {value} is a Smi.
223 value = effect = 228 value = effect =
224 graph()->NewNode(simplified()->CheckSmi(), value, effect, control); 229 graph()->NewNode(simplified()->CheckSmi(), value, effect, control);
225 property_cell_value_type = Type::SignedSmall(); 230 property_cell_value_type = Type::SignedSmall();
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after
300 } 305 }
301 306
302 307
303 SimplifiedOperatorBuilder* JSGlobalObjectSpecialization::simplified() const { 308 SimplifiedOperatorBuilder* JSGlobalObjectSpecialization::simplified() const {
304 return jsgraph()->simplified(); 309 return jsgraph()->simplified();
305 } 310 }
306 311
307 } // namespace compiler 312 } // namespace compiler
308 } // namespace internal 313 } // namespace internal
309 } // namespace v8 314 } // namespace v8
OLDNEW
« no previous file with comments | « src/bailout-reason.h ('k') | src/crankshaft/hydrogen.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698