AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Minor bugfix in building inlined Array: bad argument to JSArrayBuilder.

Browse Source 
An HConstant pointing to a Cell rather than an AllocationSite
was passed. The argument wasn't used because of fortuitous
flags. An assert was added to protect the argument.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/141533003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
mvstanton@chromium.org 2014-01-17 12:18:57 +00:00
parent 83d02a8ad0
commit b2bea46245
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/hydrogen.cc
View File

@ -2704,6 +2704,9 @@ HGraphBuilder::JSArrayBuilder::JSArrayBuilder(HGraphBuilder* builder,
kind_(kind), kind_(kind),
allocation_site_payload_(allocation_site_payload), allocation_site_payload_(allocation_site_payload),
constructor_function_(constructor_function) { constructor_function_(constructor_function) {
ASSERT(!allocation_site_payload->IsConstant() ||
HConstant::cast(allocation_site_payload)->handle(
builder_->isolate())->IsAllocationSite());
mode_ = override_mode == DISABLE_ALLOCATION_SITES mode_ = override_mode == DISABLE_ALLOCATION_SITES
? DONT_TRACK_ALLOCATION_SITE ? DONT_TRACK_ALLOCATION_SITE
: AllocationSite::GetMode(kind); : AllocationSite::GetMode(kind);
@ -7944,10 +7947,10 @@ void HOptimizedGraphBuilder::BuildInlinedCallNewArray(CallNew* expr) {
Handle<Cell> cell = expr->allocation_info_cell(); Handle<Cell> cell = expr->allocation_info_cell();
Handle<AllocationSite> site(AllocationSite::cast(cell->value())); Handle<AllocationSite> site(AllocationSite::cast(cell->value()));
// Register on the site for deoptimization if the cell value changes. // Register on the site for deoptimization if the transition feedback changes.
AllocationSite::AddDependentCompilationInfo( AllocationSite::AddDependentCompilationInfo(
site, AllocationSite::TRANSITIONS, top_info()); site, AllocationSite::TRANSITIONS, top_info());
HInstruction* cell_instruction = Add<HConstant>(cell); HInstruction* site_instruction = Add<HConstant>(site);
// In the single constant argument case, we may have to adjust elements kind // In the single constant argument case, we may have to adjust elements kind
// to avoid creating a packed non-empty array. // to avoid creating a packed non-empty array.
@ -7966,7 +7969,7 @@ void HOptimizedGraphBuilder::BuildInlinedCallNewArray(CallNew* expr) {
// Build the array. // Build the array.
JSArrayBuilder array_builder(this, JSArrayBuilder array_builder(this,
kind, kind,
cell_instruction, site_instruction,
constructor, constructor,
DISABLE_ALLOCATION_SITES); DISABLE_ALLOCATION_SITES);
HValue* new_object; HValue* new_object;