From 8076b280125e0ff396beb56ddd8829acf7c2b4bb Mon Sep 17 00:00:00 2001 From: Georg Neis Date: Thu, 15 Feb 2018 09:30:27 +0000 Subject: [PATCH] Revert "[ic] EmitElementStore: don't miss when hitting new space limit." This reverts commit af677f29b1b7c0286b423c4e745303ed51de88e9. Reason for revert: Clusterfuzz found an issue. Original change's description: > [ic] EmitElementStore: don't miss when hitting new space limit. > > CSA::EmitElementStore used to bail out (IC miss) via > CSA::CheckForCapacityGrow when the capacity hits the new space > limit, causing the store IC to go megamorphic in my example (see > referenced bug). With this CL, we do what TF'ed code does already: > call into Runtime::kGrowArrayElements (in this situation), thus > staying monomorphic. > > Here's a contrived test case: > > //////////////////////// > let x = []; > > function bar() { > for (let i = 0; i < 50000; ++i) x[i] = i; > } > > function foo() { > for (let i = x.length; i < 100e6; ++i) x[i] = i; > } > > bar(); > foo(); > //////////////////////// > > This took about 4s on my machine, now it takes 3s. > > Bug: v8:7447 > Change-Id: I7f268fc55835f363d250613ce0357444a663051c > Reviewed-on: https://chromium-review.googlesource.com/918723 > Commit-Queue: Georg Neis > Reviewed-by: Benedikt Meurer > Cr-Commit-Position: refs/heads/master@{#51297} TBR=neis@chromium.org,bmeurer@chromium.org Change-Id: I34eef5919cbdef1b35512aa98ac2de0ae5fcc7cc No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:7447 Reviewed-on: https://chromium-review.googlesource.com/921121 Reviewed-by: Georg Neis Commit-Queue: Georg Neis Cr-Commit-Position: refs/heads/master@{#51306} --- src/code-stub-assembler.cc | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/src/code-stub-assembler.cc b/src/code-stub-assembler.cc index e9c143c747..539fc78265 100644 --- a/src/code-stub-assembler.cc +++ b/src/code-stub-assembler.cc @@ -8005,8 +8005,7 @@ Node* CodeStubAssembler::CheckForCapacityGrow( KeyedAccessStoreMode store_mode, Node* length, Node* key, ParameterMode mode, bool is_js_array, Label* bailout) { VARIABLE(checked_elements, MachineRepresentation::kTagged); - Label grow_case(this), no_grow_case(this), done(this), - grow_bailout(this, Label::kDeferred); + Label grow_case(this), no_grow_case(this), done(this); Node* condition; if (IsHoleyOrDictionaryElementsKind(kind)) { @@ -8027,24 +8026,11 @@ Node* CodeStubAssembler::CheckForCapacityGrow( { Node* new_elements = TryGrowElementsCapacity( - object, elements, kind, key, current_capacity, mode, &grow_bailout); + object, elements, kind, key, current_capacity, mode, bailout); checked_elements.Bind(new_elements); Goto(&fits_capacity); } - BIND(&grow_bailout); - { - Node* tagged_key = mode == SMI_PARAMETERS - ? key - : ChangeInt32ToTagged(TruncateWordToWord32(key)); - Node* maybe_elements = CallRuntime( - Runtime::kGrowArrayElements, NoContextConstant(), object, tagged_key); - GotoIf(TaggedIsSmi(maybe_elements), bailout); - CSA_ASSERT(this, IsFixedArrayWithKind(maybe_elements, kind)); - checked_elements.Bind(maybe_elements); - Goto(&fits_capacity); - } - BIND(&fits_capacity); if (is_js_array) { Node* new_length = IntPtrAdd(key, IntPtrOrSmiConstant(1, mode));