Fix deopts causing uninitialized fixed typed arrays.

The deopt will not happen in production code, since we check that lengths of fixed typed arrays are smis before calling TypedArrayInitialze, but that makes deopt bot happy. R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/212643016 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20324 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-28 08:59:46 +00:00 · 2014-03-28 08:59:46 +00:00 · 0d1b90f8aa
commit 0d1b90f8aa
parent 6781deae0a
2 changed files with 12 additions and 6 deletions
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -8510,6 +8510,10 @@ HValue* HOptimizedGraphBuilder::BuildAllocateExternalElements(
    HValue* buffer, HValue* byte_offset, HValue* length) {
  Handle<Map> external_array_map(
      isolate()->heap()->MapForExternalArrayType(array_type));
+
+  // The HForceRepresentation is to prevent possible deopt on int-smi
+  // conversion after allocation but before the new object fields are set.
+  length = AddUncasted<HForceRepresentation>(length, Representation::Smi());
  HValue* elements =
      Add<HAllocate>(
          Add<HConstant>(ExternalArray::kAlignedSize),
@ -8518,6 +8522,8 @@ HValue* HOptimizedGraphBuilder::BuildAllocateExternalElements(
          external_array_map->instance_type());

  AddStoreMapConstant(elements, external_array_map);
+  Add<HStoreNamedField>(elements,
+      HObjectAccess::ForFixedArrayLength(), length);

  HValue* backing_store = Add<HLoadNamedField>(
      buffer, static_cast<HValue*>(NULL),
@ -8535,13 +8541,10 @@ HValue* HOptimizedGraphBuilder::BuildAllocateExternalElements(
    typed_array_start = external_pointer;
  }

-
  Add<HStoreNamedField>(elements,
      HObjectAccess::ForExternalArrayExternalPointer(),
      typed_array_start);

-  Add<HStoreNamedField>(elements,
-      HObjectAccess::ForFixedArrayLength(), length);
  return elements;
 }

@ -8565,6 +8568,9 @@ HValue* HOptimizedGraphBuilder::BuildAllocateFixedTypedArray(
    total_size->ClearFlag(HValue::kCanOverflow);
  }

+  // The HForceRepresentation is to prevent possible deopt on int-smi
+  // conversion after allocation but before the new object fields are set.
+  length = AddUncasted<HForceRepresentation>(length, Representation::Smi());
  Handle<Map> fixed_typed_array_map(
      isolate()->heap()->MapForFixedTypedArray(array_type));
  HValue* elements =
@ -8576,6 +8582,7 @@ HValue* HOptimizedGraphBuilder::BuildAllocateFixedTypedArray(
  Add<HStoreNamedField>(elements,
      HObjectAccess::ForFixedArrayLength(),
      length);
+
  HValue* filler = Add<HConstant>(static_cast<int32_t>(0));

  {
@ -8588,8 +8595,6 @@ HValue* HOptimizedGraphBuilder::BuildAllocateFixedTypedArray(

    builder.EndBody();
  }
-  Add<HStoreNamedField>(
-      elements, HObjectAccess::ForFixedArrayLength(), length);
  return elements;
 }

--- a/src/runtime.cc
+++ b/src/runtime.cc
@ -1236,7 +1236,8 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArraySetFastCases) {


 RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArrayMaxSizeInHeap) {
-  ASSERT_OBJECT_SIZE(FLAG_typed_array_max_size_in_heap);
+  ASSERT_OBJECT_SIZE(
+      FLAG_typed_array_max_size_in_heap + FixedTypedArrayBase::kDataOffset);
  return Smi::FromInt(FLAG_typed_array_max_size_in_heap);
 }