v8/test/mjsunit/regress/regress-812451.js

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

15 lines
280 B
JavaScript
Raw Normal View History

Reland "[ic] EmitElementStore: don't miss when hitting new space limit." This is a reland of af677f29b1b7c0286b423c4e745303ed51de88e9, fixing an issue with negative indices. Original change's description: > [ic] EmitElementStore: don't miss when hitting new space limit. > > CSA::EmitElementStore used to bail out (IC miss) via > CSA::CheckForCapacityGrow when the capacity hits the new space > limit, causing the store IC to go megamorphic in my example (see > referenced bug). With this CL, we do what TF'ed code does already: > call into Runtime::kGrowArrayElements (in this situation), thus > staying monomorphic. > > Here's a contrived test case: > > //////////////////////// > let x = []; > > function bar() { > for (let i = 0; i < 50000; ++i) x[i] = i; > } > > function foo() { > for (let i = x.length; i < 100e6; ++i) x[i] = i; > } > > bar(); > foo(); > //////////////////////// > > This took about 4s on my machine, now it takes 3s. > > Bug: v8:7447 > Change-Id: I7f268fc55835f363d250613ce0357444a663051c > Reviewed-on: https://chromium-review.googlesource.com/918723 > Commit-Queue: Georg Neis <neis@chromium.org> > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> > Cr-Commit-Position: refs/heads/master@{#51297} Bug: v8:7447, chromium:812451 Change-Id: I345b5e5b2437c4f50e42bbd87947630f24cd95eb Reviewed-on: https://chromium-review.googlesource.com/921201 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#51311}
2018-02-15 11:48:15 +00:00
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
var x = [];
function foo(x, p) {
x[p] = 5.3;
}
foo(x, 1);
foo(x, 2);
foo(x, -1);
gc();