From cc2a2771a6c7712375abef23e9153819caf4e9af Mon Sep 17 00:00:00 2001 From: jkummerow Date: Thu, 10 Nov 2016 05:46:58 -0800 Subject: [PATCH] [stubs] Fix CodeStubAssembler::TrapAllocationMemento to actually trap allocation mementos. Review-Url: https://codereview.chromium.org/2487943005 Cr-Commit-Position: refs/heads/master@{#40895} --- src/code-stub-assembler.cc | 18 +++---- .../regress-trap-allocation-memento.js | 50 +++++++++++++++++++ 2 files changed, 59 insertions(+), 9 deletions(-) create mode 100644 test/mjsunit/regress/regress-trap-allocation-memento.js diff --git a/src/code-stub-assembler.cc b/src/code-stub-assembler.cc index 8838bc5587..02e6a347ac 100644 --- a/src/code-stub-assembler.cc +++ b/src/code-stub-assembler.cc @@ -6887,23 +6887,23 @@ void CodeStubAssembler::TrapAllocationMemento(Node* object, Node* new_space_top_address = ExternalConstant( ExternalReference::new_space_allocation_top_address(isolate())); - const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag; + const int kMementoMapOffset = JSArray::kSize; const int kMementoLastWordOffset = kMementoMapOffset + AllocationMemento::kSize - kPointerSize; // Bail out if the object is not in new space. Node* object_page = PageFromAddress(object); { - const int mask = - (1 << MemoryChunk::IN_FROM_SPACE) | (1 << MemoryChunk::IN_TO_SPACE); - Node* page_flags = Load(MachineType::IntPtr(), object_page); - GotoIf( - WordEqual(WordAnd(page_flags, IntPtrConstant(mask)), IntPtrConstant(0)), - &no_memento_found); + Node* page_flags = Load(MachineType::IntPtr(), object_page, + IntPtrConstant(Page::kFlagsOffset)); + GotoIf(WordEqual(WordAnd(page_flags, + IntPtrConstant(MemoryChunk::kIsInNewSpaceMask)), + IntPtrConstant(0)), + &no_memento_found); } - Node* memento_last_word = - IntPtrAdd(object, IntPtrConstant(kMementoLastWordOffset)); + Node* memento_last_word = IntPtrAdd( + object, IntPtrConstant(kMementoLastWordOffset - kHeapObjectTag)); Node* memento_last_word_page = PageFromAddress(memento_last_word); Node* new_space_top = Load(MachineType::Pointer(), new_space_top_address); diff --git a/test/mjsunit/regress/regress-trap-allocation-memento.js b/test/mjsunit/regress/regress-trap-allocation-memento.js new file mode 100644 index 0000000000..12baca0918 --- /dev/null +++ b/test/mjsunit/regress/regress-trap-allocation-memento.js @@ -0,0 +1,50 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --noalways-opt + +var elements_kind = { + fast_smi_only : 'fast smi only elements', + fast : 'fast elements', + fast_double : 'fast double elements', + dictionary : 'dictionary elements', +} + +function getKind(obj) { + if (%HasFastSmiElements(obj)) return elements_kind.fast_smi_only; + if (%HasFastObjectElements(obj)) return elements_kind.fast; + if (%HasFastDoubleElements(obj)) return elements_kind.fast_double; + if (%HasDictionaryElements(obj)) return elements_kind.dictionary; +} + +function assertKind(expected, obj, name_opt) { + assertEquals(expected, getKind(obj), name_opt); +} + +(function() { + function make1() { return new Array(); } + function make2() { return new Array(); } + function make3() { return new Array(); } + function foo(a, i) { a[0] = i; } + + function run_test(maker_function) { + var one = maker_function(); + assertKind(elements_kind.fast_smi_only, one); + // Use memento to pre-transition allocation site to DOUBLE elements. + foo(one, 1.5); + // Newly created arrays should now have DOUBLE elements right away. + var two = maker_function(); + assertKind(elements_kind.fast_double, two); + } + + // Initialize the KeyedStoreIC in foo; the actual operation will be done + // in the runtime. + run_test(make1); + // Run again; the IC optimistically assumed to only see the transitioned + // (double-elements) map again, so this will make it polymorphic. + // The actual operation will again be done in the runtime. + run_test(make2); + // Finally, check if the initialized IC honors the allocation memento. + run_test(make3); +})();