v8/test/mjsunit/regress/regress-997485.js

128 lines
2.8 KiB
JavaScript
Raw Normal View History

Reland^2 "[ic] In-place Double -> Tagged transitions"" This is a reland of 981aafaf977d4671763c341102a4ee5ef172f7f6 It adds double checks to LoadFieldByIndex in the optimizing compiler, which are likely the source of the crashes. Original change's description: > Reland "[ic] In-place Double -> Tagged transitions" > > This is a reland of 0736599a69d4d7c145bff2d99fed8a7ea599f687. > This is a reland of 7e1fbe8f341161ca57f95f01b263643d139eb14a. > > Original change description: > > [ic] In-place Double -> Tagged transitions > > > > With no more MutableHeapNumber, we can make Double -> Tagged transitions > > in-place, at the cost of an extra map check when accessing double fields > > to make sure they are still doubles. > > > > Bug: v8:9606 > > Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973 > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#63374} > > TBR=verwaest@chromium.org, tebbi@chromium.org > > Bug: v8:9606 > Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#63499} TBR=verwaest@chromium.org Bug: v8:9606 Bug: chromium:997989 Change-Id: Iccfff8e5c6306c9ee4f6c62767dce883b1c6f743 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784288 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#63582}
2019-09-05 14:36:00 +00:00
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function doubleToTaggedWithTaggedValueStoresCorrectly() {
function setX_Double(o) { o.x = 4.2; }
function foo() {
// o.x starts off as Double
const o = { x: 0.1 };
// Write to it a few times with setX_Double, to make sure setX_Double has
// Double feedback.
setX_Double(o);
setX_Double(o);
// Transition o.x to Tagged.
o.x = {};
// setX_Double will still have Double feedback, so make sure it works with
// the new Tagged representation o.x.
setX_Double(o);
assertEquals(o.x, 4.2);
}
%EnsureFeedbackVectorForFunction(setX_Double);
foo();
})();
(function doubleToTaggedWithDoubleValueDoesNotMutate() {
function setX_Double(o) { o.x = 4.2; }
function foo() {
// o.x starts off as Double
const o = { x: 0.1 };
// Write to it a few times with setX_Double, to make sure setX_Double has
// Double feedback.
setX_Double(o);
setX_Double(o);
// Transition o.x to Tagged.
o.x = {};
// Write the HeapNumber val to o.x.
const val = 1.25;
o.x = val;
// setX_Double will still have Double feedback, which expects to be able to
// mutate o.x's HeapNumber, so make sure it does not mutate val.
setX_Double(o);
assertEquals(o.x, 4.2);
assertNotEquals(val, 4.2);
}
%EnsureFeedbackVectorForFunction(setX_Double);
foo();
})();
(function doubleToTaggedWithTaggedValueStoresSmiCorrectly() {
function setX_Smi(o) { o.x = 42; }
function foo() {
// o.x starts off as Double
const o = { x: 0.1 };
// Write to it a few times with setX_Smi, to make sure setX_Smi has
// Double feedback.
setX_Smi(o);
setX_Smi(o);
// Transition o.x to Tagged.
o.x = {};
// setX_Smi will still have Double feedback, so make sure it works with
// the new Tagged representation o.x.
setX_Smi(o);
assertEquals(o.x, 42);
}
%EnsureFeedbackVectorForFunction(setX_Smi);
foo();
})();
(function doubleToTaggedWithSmiValueDoesNotMutate() {
function setX_Smi(o) { o.x = 42; }
function foo() {
// o.x starts off as Double
const o = { x: 0.1 };
// Write to it a few times with setX_Smi, to make sure setX_Smi has
// Double feedback.
setX_Smi(o);
setX_Smi(o);
// Transition o.x to Tagged.
o.x = {};
// Write the HeapNumber val to o.x.
const val = 1.25;
o.x = val;
// setX_Smi will still have Double feedback, which expects to be able to
// mutate o.x's HeapNumber, so make sure it does not mutate val.
setX_Smi(o);
assertEquals(o.x, 42);
assertNotEquals(val, 42);
}
%EnsureFeedbackVectorForFunction(setX_Smi);
foo();
})();