[runtime] Make stores to existing double fields always drop const

Dedeprecation to tagged is otherwise madness. Bug: chromium:1383976 Change-Id: I4ed16b9cc59ca113c16099895d1721e3eb0288b1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030486 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Auto-Submit: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/main@{#84304}
2022-11-16 16:38:44 +01:00 · 2022-11-16 16:38:44 +01:00 · 1ffbbe5969
commit 1ffbbe5969
parent 9554743a0b
4 changed files with 33 additions and 20 deletions
--- a/src/objects/lookup.cc
+++ b/src/objects/lookup.cc
@ -927,19 +927,14 @@ bool LookupIterator::IsConstFieldValueEqualTo(Object value) const {
    // base::bit_cast or value(), will change its value on ia32 (the x87
    // stack is used to return values and stores to the stack silently clear the
    // signalling bit).
-    if (bits == kHoleNanInt64) {
-      // Uninitialized double field.
-      return true;
-    }
-    // Only allow exact same bitpatterns (and smis) to ensure we don't need
-    // expensive validation in optimized code.
-    return bits == base::bit_cast<uint64_t>(value.Number());
-  } else {
-    Object current_value = holder->RawFastPropertyAt(isolate_, field_index);
-    // Only allow exact same objects to ensure we don't need expensive
-    // validation in optimized code.
-    return current_value.IsUninitialized(isolate()) || current_value == value;
+    // Only allow initializing stores to double to stay constant.
+    return bits == kHoleNanInt64;
  }
+
+  Object current_value = holder->RawFastPropertyAt(isolate_, field_index);
+  // Only allow exact same objects to ensure we don't need expensive
+  // validation in optimized code.
+  return current_value.IsUninitialized(isolate()) || current_value == value;
 }

 bool LookupIterator::IsConstDictValueEqualTo(Object value) const {
--- a/test/cctest/test-field-type-tracking.cc
+++ b/test/cctest/test-field-type-tracking.cc
@ -2926,10 +2926,8 @@ TEST(StoreToConstantField_PlusMinusZero) {
      "}";

  TestStoreToConstantField_PlusMinusZero(store_func_source, 1);
-  TestStoreToConstantField_PlusMinusZero(store_func_source, 3);

  TestStoreToConstantField_NaN(store_func_source, 1);
-  TestStoreToConstantField_NaN(store_func_source, 2);
 }

 TEST(StoreToConstantField_ObjectDefineProperty) {
@ -2946,10 +2944,8 @@ TEST(StoreToConstantField_ObjectDefineProperty) {
      "}";

  TestStoreToConstantField_PlusMinusZero(store_func_source, 1);
-  TestStoreToConstantField_PlusMinusZero(store_func_source, 3);

  TestStoreToConstantField_NaN(store_func_source, 1);
-  TestStoreToConstantField_NaN(store_func_source, 2);
 }

 TEST(StoreToConstantField_ReflectSet) {
@ -2962,10 +2958,8 @@ TEST(StoreToConstantField_ReflectSet) {
      "}";

  TestStoreToConstantField_PlusMinusZero(store_func_source, 1);
-  TestStoreToConstantField_PlusMinusZero(store_func_source, 3);

  TestStoreToConstantField_NaN(store_func_source, 1);
-  TestStoreToConstantField_NaN(store_func_source, 2);
 }

 TEST(StoreToConstantField_StoreIC) {
@ -2978,10 +2972,8 @@ TEST(StoreToConstantField_StoreIC) {
      "}";

  TestStoreToConstantField_PlusMinusZero(store_func_source, 1);
-  TestStoreToConstantField_PlusMinusZero(store_func_source, 3);

  TestStoreToConstantField_NaN(store_func_source, 1);
-  TestStoreToConstantField_NaN(store_func_source, 2);
 }

 TEST(NormalizeToMigrationTarget) {
--- a/test/mjsunit/const-field-tracking.js
+++ b/test/mjsunit/const-field-tracking.js
@ -213,11 +213,13 @@ function TestStoreToConstantFieldOfConstantObject(the_value, other_value) {
 })();

 // Test constant tracking with double values.
+/*
 (function() {
  var the_value = 0.9;
  var other_value = 0.42
  TestStoreToConstantFieldOfConstantObject(the_value, other_value);
 })();
+*/

 // Test constant tracking with function values.
 (function() {
--- a/test/mjsunit/regress/regress-crbug-1383976.js
+++ b/test/mjsunit/regress/regress-crbug-1383976.js
@ -0,0 +1,24 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let __v_34 =
+{
+  a: -9007199254740990,
+  b: 0
+};
+let __v_35 = {
+  a: 2,
+  b: 0
+};
+  Object.defineProperty(__v_34, "b", {
+    value: 4.2,
+  });
+let __v_36 = {
+  a: "foo",
+  b: 0
+};
+  Object.defineProperty(__v_35, "a",
+  {
+    value: 2,
+  });