From 41e9d916c45b98da1270b265e9121474ec5ef65b Mon Sep 17 00:00:00 2001 From: "ishell@chromium.org" Date: Fri, 13 Jun 2014 07:51:45 +0000 Subject: [PATCH] GVN fix, preventing loads hoisting above stores to the same field when HObjectAccess's representation is not the same. R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/331493006 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21830 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen-gvn.cc | 2 +- src/hydrogen-instructions.h | 9 ++++++++- test/mjsunit/regress/regress-gvn-ftt.js | 27 +++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/regress/regress-gvn-ftt.js diff --git a/src/hydrogen-gvn.cc b/src/hydrogen-gvn.cc index e6f1ae90f3..385947d754 100644 --- a/src/hydrogen-gvn.cc +++ b/src/hydrogen-gvn.cc @@ -466,7 +466,7 @@ bool SideEffectsTracker::ComputeGlobalVar(Unique cell, int* index) { bool SideEffectsTracker::ComputeInobjectField(HObjectAccess access, int* index) { for (int i = 0; i < num_inobject_fields_; ++i) { - if (access.Equals(inobject_fields_[i])) { + if (access.SameField(inobject_fields_[i])) { *index = i; return true; } diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h index f1720f4442..fce5d681a9 100644 --- a/src/hydrogen-instructions.h +++ b/src/hydrogen-instructions.h @@ -6202,7 +6202,14 @@ class HObjectAccess V8_FINAL { void PrintTo(StringStream* stream) const; inline bool Equals(HObjectAccess that) const { - return value_ == that.value_; // portion and offset must match + return value_ == that.value_; + } + + // Returns true if |this| access refers to the same field as |that|, which + // means that both have same |offset| and |portion| values. + inline bool SameField(HObjectAccess that) const { + uint32_t mask = PortionField::kMask | OffsetField::kMask; + return (value_ & mask) == (that.value_ & mask); } protected: diff --git a/test/mjsunit/regress/regress-gvn-ftt.js b/test/mjsunit/regress/regress-gvn-ftt.js new file mode 100644 index 0000000000..d2cb44381d --- /dev/null +++ b/test/mjsunit/regress/regress-gvn-ftt.js @@ -0,0 +1,27 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --track-field-types --use-gvn + +function A(id) { + this.id = id; +} + +var a1 = new A(1); +var a2 = new A(2); + + +var g; +function f(o, value) { + g = o.o; + o.o = value; + return o.o; +} + +var obj = {o: a1}; + +f(obj, a1); +f(obj, a1); +%OptimizeFunctionOnNextCall(f); +assertEquals(a2.id, f(obj, a2).id);