[stubs] Fix CodeStubAssembler::TrapAllocationMemento

to actually trap allocation mementos. Review-Url: https://codereview.chromium.org/2487943005 Cr-Commit-Position: refs/heads/master@{#40895}
2016-11-10 05:46:58 -08:00 · 2016-11-10 05:46:58 -08:00 · cc2a2771a6
commit cc2a2771a6
parent 6d533403f9
2 changed files with 59 additions and 9 deletions
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@ -6887,23 +6887,23 @@ void CodeStubAssembler::TrapAllocationMemento(Node* object,

  Node* new_space_top_address = ExternalConstant(
      ExternalReference::new_space_allocation_top_address(isolate()));
-  const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag;
+  const int kMementoMapOffset = JSArray::kSize;
  const int kMementoLastWordOffset =
      kMementoMapOffset + AllocationMemento::kSize - kPointerSize;

  // Bail out if the object is not in new space.
  Node* object_page = PageFromAddress(object);
  {
-    const int mask =
-        (1 << MemoryChunk::IN_FROM_SPACE) | (1 << MemoryChunk::IN_TO_SPACE);
-    Node* page_flags = Load(MachineType::IntPtr(), object_page);
-    GotoIf(
-        WordEqual(WordAnd(page_flags, IntPtrConstant(mask)), IntPtrConstant(0)),
-        &no_memento_found);
+    Node* page_flags = Load(MachineType::IntPtr(), object_page,
+                            IntPtrConstant(Page::kFlagsOffset));
+    GotoIf(WordEqual(WordAnd(page_flags,
+                             IntPtrConstant(MemoryChunk::kIsInNewSpaceMask)),
+                     IntPtrConstant(0)),
+           &no_memento_found);
  }

-  Node* memento_last_word =
-      IntPtrAdd(object, IntPtrConstant(kMementoLastWordOffset));
+  Node* memento_last_word = IntPtrAdd(
+      object, IntPtrConstant(kMementoLastWordOffset - kHeapObjectTag));
  Node* memento_last_word_page = PageFromAddress(memento_last_word);

  Node* new_space_top = Load(MachineType::Pointer(), new_space_top_address);
--- a/test/mjsunit/regress/regress-trap-allocation-memento.js
+++ b/test/mjsunit/regress/regress-trap-allocation-memento.js
@ -0,0 +1,50 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --noalways-opt
+
+var elements_kind = {
+  fast_smi_only            :  'fast smi only elements',
+  fast                     :  'fast elements',
+  fast_double              :  'fast double elements',
+  dictionary               :  'dictionary elements',
+}
+
+function getKind(obj) {
+  if (%HasFastSmiElements(obj)) return elements_kind.fast_smi_only;
+  if (%HasFastObjectElements(obj)) return elements_kind.fast;
+  if (%HasFastDoubleElements(obj)) return elements_kind.fast_double;
+  if (%HasDictionaryElements(obj)) return elements_kind.dictionary;
+}
+
+function assertKind(expected, obj, name_opt) {
+  assertEquals(expected, getKind(obj), name_opt);
+}
+
+(function() {
+  function make1() { return new Array(); }
+  function make2() { return new Array(); }
+  function make3() { return new Array(); }
+  function foo(a, i) { a[0] = i; }
+
+  function run_test(maker_function) {
+    var one = maker_function();
+    assertKind(elements_kind.fast_smi_only, one);
+    // Use memento to pre-transition allocation site to DOUBLE elements.
+    foo(one, 1.5);
+    // Newly created arrays should now have DOUBLE elements right away.
+    var two = maker_function();
+    assertKind(elements_kind.fast_double, two);
+  }
+
+  // Initialize the KeyedStoreIC in foo; the actual operation will be done
+  // in the runtime.
+  run_test(make1);
+  // Run again; the IC optimistically assumed to only see the transitioned
+  // (double-elements) map again, so this will make it polymorphic.
+  // The actual operation will again be done in the runtime.
+  run_test(make2);
+  // Finally, check if the initialized IC honors the allocation memento.
+  run_test(make3);
+})();