Fix r11780 to avoid bugs where near branches are used to labels that are out of range.
Review URL: http://codereview.chromium.org/10542137 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11792 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
erikcorry
parent
f8b4574250
commit
5eb4baed65
@ -2357,6 +2357,18 @@ void LCodeGen::EmitPushTaggedOperand(LOperand* operand) {
|
||||
}
|
||||
|
||||
|
||||
// Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
|
||||
// prototype chain, which causes unbounded code generation.
|
||||
static bool CompactEmit(
|
||||
SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
|
||||
LookupResult lookup(isolate);
|
||||
Handle<Map> map = list->at(i);
|
||||
map->LookupInDescriptors(NULL, *name, &lookup);
|
||||
return lookup.IsFound() &&
|
||||
(lookup.type() == FIELD || lookup.type() == CONSTANT_FUNCTION);
|
||||
}
|
||||
|
||||
|
||||
void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
|
||||
Register object = ToRegister(instr->object());
|
||||
Register result = ToRegister(instr->result());
|
||||
@ -2370,16 +2382,10 @@ void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
|
||||
}
|
||||
Handle<String> name = instr->hydrogen()->name();
|
||||
Label done;
|
||||
bool compact_code = true;
|
||||
bool all_are_compact = true;
|
||||
for (int i = 0; i < map_count; ++i) {
|
||||
LookupResult lookup(isolate());
|
||||
Handle<Map> map = instr->hydrogen()->types()->at(i);
|
||||
map->LookupInDescriptors(NULL, *name, &lookup);
|
||||
if (!lookup.IsFound() ||
|
||||
(lookup.type() != FIELD && lookup.type() != CONSTANT_FUNCTION)) {
|
||||
// The two cases above cause a bounded amount of code to be emitted. This
|
||||
// is not necessarily the case for other lookup results.
|
||||
compact_code = false;
|
||||
if (!CompactEmit(instr->hydrogen()->types(), name, i, isolate())) {
|
||||
all_are_compact = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -2395,11 +2401,13 @@ void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
|
||||
result, object, map, name, instr->environment());
|
||||
} else {
|
||||
Label next;
|
||||
__ j(not_equal, &next, Label::kNear);
|
||||
bool compact = all_are_compact ? true :
|
||||
CompactEmit(instr->hydrogen()->types(), name, i, isolate());
|
||||
__ j(not_equal, &next, compact ? Label::kNear : Label::kFar);
|
||||
__ bind(&check_passed);
|
||||
EmitLoadFieldOrConstantFunction(
|
||||
result, object, map, name, instr->environment());
|
||||
__ jmp(&done, compact_code ? Label::kNear : Label::kFar);
|
||||
__ jmp(&done, all_are_compact ? Label::kNear : Label::kFar);
|
||||
__ bind(&next);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2233,6 +2233,18 @@ void LCodeGen::EmitLoadFieldOrConstantFunction(Register result,
|
||||
}
|
||||
|
||||
|
||||
// Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
|
||||
// prototype chain, which causes unbounded code generation.
|
||||
static bool CompactEmit(
|
||||
SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
|
||||
LookupResult lookup(isolate);
|
||||
Handle<Map> map = list->at(i);
|
||||
map->LookupInDescriptors(NULL, *name, &lookup);
|
||||
return lookup.IsFound() &&
|
||||
(lookup.type() == FIELD || lookup.type() == CONSTANT_FUNCTION);
|
||||
}
|
||||
|
||||
|
||||
void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
|
||||
Register object = ToRegister(instr->object());
|
||||
Register result = ToRegister(instr->result());
|
||||
@ -2246,16 +2258,10 @@ void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
|
||||
}
|
||||
Handle<String> name = instr->hydrogen()->name();
|
||||
Label done;
|
||||
bool compact_code = true;
|
||||
bool all_are_compact = true;
|
||||
for (int i = 0; i < map_count; ++i) {
|
||||
LookupResult lookup(isolate());
|
||||
Handle<Map> map = instr->hydrogen()->types()->at(i);
|
||||
map->LookupInDescriptors(NULL, *name, &lookup);
|
||||
if (!lookup.IsFound() ||
|
||||
(lookup.type() != FIELD && lookup.type() != CONSTANT_FUNCTION)) {
|
||||
// The two cases above cause a bounded amount of code to be emitted. This
|
||||
// is not necessarily the case for other lookup results.
|
||||
compact_code = false;
|
||||
if (!CompactEmit(instr->hydrogen()->types(), name, i, isolate())) {
|
||||
all_are_compact = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -2271,11 +2277,13 @@ void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
|
||||
result, object, map, name, instr->environment());
|
||||
} else {
|
||||
Label next;
|
||||
__ j(not_equal, &next, Label::kNear);
|
||||
bool compact = all_are_compact ? true :
|
||||
CompactEmit(instr->hydrogen()->types(), name, i, isolate());
|
||||
__ j(not_equal, &next, compact ? Label::kNear : Label::kFar);
|
||||
__ bind(&check_passed);
|
||||
EmitLoadFieldOrConstantFunction(
|
||||
result, object, map, name, instr->environment());
|
||||
__ jmp(&done, compact_code ? Label::kNear: Label::kFar);
|
||||
__ jmp(&done, all_are_compact ? Label::kNear : Label::kFar);
|
||||
__ bind(&next);
|
||||
}
|
||||
}
|
||||
|
||||
45
test/mjsunit/regress/regress-deep-proto.js
Normal file
45
test/mjsunit/regress/regress-deep-proto.js
Normal file
@ -0,0 +1,45 @@
|
||||
// Copyright 2012 the V8 project authors. All rights reserved.
|
||||
// Redistribution and use in source and binary forms, with or without
|
||||
// modification, are permitted provided that the following conditions are
|
||||
// met:
|
||||
//
|
||||
// * Redistributions of source code must retain the above copyright
|
||||
// notice, this list of conditions and the following disclaimer.
|
||||
// * Redistributions in binary form must reproduce the above
|
||||
// copyright notice, this list of conditions and the following
|
||||
// disclaimer in the documentation and/or other materials provided
|
||||
// with the distribution.
|
||||
// * Neither the name of Google Inc. nor the names of its
|
||||
// contributors may be used to endorse or promote products derived
|
||||
// from this software without specific prior written permission.
|
||||
//
|
||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
function poly(x) {
|
||||
return x.foo;
|
||||
}
|
||||
|
||||
var one = {foo: 0};
|
||||
var two = {foo: 0, bar: 1};
|
||||
var three = {bar: 0};
|
||||
three.__proto__ = {};
|
||||
three.__proto__.__proto__ = {};
|
||||
three.__proto__.__proto__.__proto__ = {};
|
||||
three.__proto__.__proto__.__proto__.__proto__ = {};
|
||||
three.__proto__.__proto__.__proto__.__proto__.__proto__ = {};
|
||||
|
||||
for (var i = 0; i < 1e6; i++) {
|
||||
poly(one);
|
||||
poly(two);
|
||||
poly(three);
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user