Make near-jump check more strict in LoadNamedFieldPolymorphic on ia32/x64

BUG=134055 TEST=mjsunit/regress/regress-crbug-134055 Review URL: https://chromiumcodereview.appspot.com/10630027 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11907 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-22 13:38:39 +00:00 · 2012-06-22 13:38:39 +00:00 · 9ce4133017
commit 9ce4133017
parent 9a0069b639
3 changed files with 79 additions and 6 deletions
--- a/src/ia32/lithium-codegen-ia32.cc
+++ b/src/ia32/lithium-codegen-ia32.cc
@ -2464,10 +2464,15 @@ void LCodeGen::EmitPushTaggedOperand(LOperand* operand) {

 // Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
 // prototype chain, which causes unbounded code generation.
-static bool CompactEmit(
-    SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
-  LookupResult lookup(isolate);
+static bool CompactEmit(SmallMapList* list,
+                        Handle<String> name,
+                        int i,
+                        Isolate* isolate) {
  Handle<Map> map = list->at(i);
+  // If the map has ElementsKind transitions, we will generate map checks
+  // for each kind in __ CompareMap(..., ALLOW_ELEMENTS_TRANSITION_MAPS).
+  if (map->elements_transition_map() != NULL) return false;
+  LookupResult lookup(isolate);
  map->LookupInDescriptors(NULL, *name, &lookup);
  return lookup.IsField() || lookup.IsConstantFunction();
 }
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@ -2321,10 +2321,15 @@ void LCodeGen::EmitLoadFieldOrConstantFunction(Register result,

 // Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
 // prototype chain, which causes unbounded code generation.
-static bool CompactEmit(
-    SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
-  LookupResult lookup(isolate);
+static bool CompactEmit(SmallMapList* list,
+                        Handle<String> name,
+                        int i,
+                        Isolate* isolate) {
  Handle<Map> map = list->at(i);
+  // If the map has ElementsKind transitions, we will generate map checks
+  // for each kind in __ CompareMap(..., ALLOW_ELEMENTS_TRANSITION_MAPS).
+  if (map->elements_transition_map() != NULL) return false;
+  LookupResult lookup(isolate);
  map->LookupInDescriptors(NULL, *name, &lookup);
  return lookup.IsField() || lookup.IsConstantFunction();
 }
--- a/test/mjsunit/regress/regress-crbug-134055.js
+++ b/test/mjsunit/regress/regress-crbug-134055.js
@ -0,0 +1,63 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function crash(obj) {
+  return obj.foo;
+}
+
+function base(number_of_properties) {
+  var result = new Array();
+  for (var i = 0; i < number_of_properties; i++) {
+    result["property" + i] = "value" + i;
+  }
+  result.foo = number_of_properties;
+  return result;
+}
+
+var a = base(12);
+var b = base(13);
+var c = base(14);
+var d = base(15);
+
+crash(a);  // Premonomorphic.
+crash(a);
+crash(b);
+crash(c);
+crash(d);  // Polymorphic, degree 4.
+
+//Prepare ElementsKind transition map chain.
+var x = base(13);
+x[0] = "object";
+x = base(14);
+x[0] = "object";
+x = base(15);
+x[0] = "object";
+
+%OptimizeFunctionOnNextCall(crash);
+crash(a);