v8/test/mjsunit/regress/regress-1180012.js

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

var __v_10 = {};
var __v_9 = [-1];
function __f_7() {
  (__v_10[65535] | 65535) / __v_9[2147483648];
}
%PrepareFunctionForOptimization(__f_7);
__f_7();
__f_7();
%OptimizeFunctionOnNextCall(__f_7);
__f_7();
Reland "[compiler] Direct heap reads for JSArrayRef" This is a reland of 76a2ab06a10e8e4b91328f0d87515a235d26b644 Changes since the original CL: - Handle unserialized elements (optional result in getter). - Merge should_access_heap and --turbo-direct-heap-access paths. - Slightly update the serialized path in GetOwnCowElement. - Fix the cctest, add a regression test. Atomic JSObject::elements/JSArray::length setters are addressed in this CL: crrev.com/c/2704076. Original change's description: > [compiler] Direct heap reads for JSArrayRef > > There are two aspects to the non-JSObject parts of JSArrayRef: > > - JSArrayRef::length. Relevant only in two spots, 1. when reading > (immutable) array boilerplates and 2. for GetOwnCowElement. > > - JSArrayRef::GetOwnCowElement. May read into a copy-on-write backing > store. Relies on the invariant that cow backing stores are immutable. > > This CL renames the length accessor to length_unsafe to make the > danger explicit at callsites. > > For GetOwnCowElement the refactor is slightly larger, since we now > need to read into the backing store while keeping full control of > object reads (e.g. JSArray::length and JSArray::elements_kind). We > make all reads explicit at the call site by requiring that elements, > elements kind, and length are passed in as arguments to > GetOwnCowElement. Inside GetOwnCowElement, consistency between these > is not guaranteed due to concurrency. At runtime, consistency is > guaranteed through the reference-equality check on the elements seen > during compilation. The actual elements read is implemented in > ConcurrentLookupIterator::GetOwnCowElement. > > Bug: v8:7790 > Change-Id: I9aa169ce4f2b1e2bfe1e9232007669eb7654a995 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2695403 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Cr-Commit-Position: refs/heads/master@{#72834} Bug: v8:7790 Change-Id: I7577ad554992cafff81099a28c34f27db9bd8042 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2710431 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#72904} 2021-02-22 11:24:34 +00:00			`// Copyright 2021 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`
			`//`
			`// Flags: --allow-natives-syntax`

			`var __v_10 = {};`
			`var __v_9 = [-1];`
			`function __f_7() {`
			`(__v_10[65535] \| 65535) / __v_9[2147483648];`
			`}`
			`%PrepareFunctionForOptimization(__f_7);`
			`__f_7();`
			`__f_7();`
			`%OptimizeFunctionOnNextCall(__f_7);`
			`__f_7();`