AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Revert "Fix TypedArray Property optimizations", add regression test and eliminate dead code

Browse Source 
This reverts commit 41d571dfe8.

Reason for revert: This patch breaks the correctness of the typedarray
properties such as length, byteOffset, byteLength.

The accessor check optimization code is dead code eliminated. A follow
up patch will fix this optimization correctly.

BUG=chromium:593634

Review-Url: https://codereview.chromium.org/1977983002
Cr-Commit-Position: refs/heads/master@{#36254}
This commit is contained in:
gsathya 2016-05-13 15:30:40 -07:00 committed by Commit bot
parent a02076429d
commit d33aedb7b9
7 changed files with 47 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/accessors.cc
View File

@ -93,36 +93,6 @@ bool Accessors::IsJSArrayBufferViewFieldAccessor(Handle<Map> map,
Isolate* isolate = name->GetIsolate();
switch (map->instance_type()) {
case JS_TYPED_ARRAY_TYPE: {
if (!CheckForName(name, isolate->factory()->length_string(),
JSTypedArray::kLengthOffset, object_offset) &&
!CheckForName(name, isolate->factory()->byte_length_string(),
JSTypedArray::kByteLengthOffset, object_offset) &&
!CheckForName(name, isolate->factory()->byte_offset_string(),
JSTypedArray::kByteOffsetOffset, object_offset)) {
return false;
}
if (map->is_dictionary_map()) return false;
// Check if the property is overridden on the instance.
DescriptorArray* descriptors = map->instance_descriptors();
int descriptor = descriptors->SearchWithCache(isolate, *name, *map);
if (descriptor != DescriptorArray::kNotFound) return false;
Handle<Object> proto = Handle<Object>(map->prototype(), isolate);
if (!proto->IsJSReceiver()) return false;
// Check if the property is defined in the prototype chain.
LookupIterator it(proto, name);
if (!it.IsFound()) return false;
Handle<Object> typed_array_proto = isolate->typed_array_prototype();
// Property is not configurable. It is enough to verify that
// the holder is the same.
return *it.GetHolder<Object>() == *typed_array_proto;
}
case JS_DATA_VIEW_TYPE:
return CheckForName(name, isolate->factory()->byte_length_string(),
JSDataView::kByteLengthOffset, object_offset) ||

34
src/bootstrapper.cc
View File

@ -1606,17 +1606,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
}
{ // -- T y p e d A r r a y s
// Create the %TypedArrayPrototype%
Handle<JSObject> typed_array_prototype =
factory->NewJSObject(isolate->object_function(), TENURED);
native_context()->set_typed_array_prototype(*typed_array_prototype);
Handle<JSFunction> typed_array_fun = CreateFunction(
isolate, factory->InternalizeUtf8String("TypedArray"), JS_OBJECT_TYPE,
JSObject::kHeaderSize, typed_array_prototype, Builtins::kIllegal);
InstallWithIntrinsicDefaultProto(isolate, typed_array_fun,
Context::TYPED_ARRAY_FUN_INDEX);
#define INSTALL_TYPED_ARRAY(Type, type, TYPE, ctype, size) \
{ \
Handle<JSFunction> fun; \
@ -1939,17 +1928,9 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
void Genesis::InstallTypedArray(const char* name, ElementsKind elements_kind,
Handle<JSFunction>* fun) {
Handle<JSObject> global = Handle<JSObject>(native_context()->global_object());
Handle<JSObject> typed_array_prototype =
Handle<JSObject>(isolate()->typed_array_prototype());
Handle<JSFunction> typed_array_function =
Handle<JSFunction>(isolate()->typed_array_function());
Handle<JSObject> prototype =
factory()->NewJSObject(isolate()->object_function(), TENURED);
Handle<JSFunction> result =
InstallFunction(global, name, JS_TYPED_ARRAY_TYPE, JSTypedArray::kSize,
prototype, Builtins::kIllegal);
Handle<JSFunction> result = InstallFunction(
global, name, JS_TYPED_ARRAY_TYPE, JSTypedArray::kSize,
isolate()->initial_object_prototype(), Builtins::kIllegal);
Handle<Map> initial_map = isolate()->factory()->NewMap(
JS_TYPED_ARRAY_TYPE,
@ -1957,15 +1938,6 @@ void Genesis::InstallTypedArray(const char* name, ElementsKind elements_kind,
elements_kind);
JSFunction::SetInitialMap(result, initial_map,
handle(initial_map->prototype(), isolate()));
CHECK(JSObject::SetPrototype(result, typed_array_function, false,
Object::DONT_THROW)
.FromJust());
CHECK(JSObject::SetPrototype(prototype, typed_array_prototype, false,
Object::DONT_THROW)
.FromJust());
*fun = result;
}

2
src/contexts.h
View File

@ -244,8 +244,6 @@ enum BindingFlags {
V(STRING_FUNCTION_INDEX, JSFunction, string_function) \
V(STRING_FUNCTION_PROTOTYPE_MAP_INDEX, Map, string_function_prototype_map) \
V(SYMBOL_FUNCTION_INDEX, JSFunction, symbol_function) \
V(TYPED_ARRAY_FUN_INDEX, JSFunction, typed_array_function) \
V(TYPED_ARRAY_PROTOTYPE_INDEX, JSObject, typed_array_prototype) \
V(UINT16_ARRAY_FUN_INDEX, JSFunction, uint16_array_fun) \
V(UINT16X8_FUNCTION_INDEX, JSFunction, uint16x8_function) \
V(UINT32_ARRAY_FUN_INDEX, JSFunction, uint32_array_fun) \

2
src/js/array-iterator.js
View File

@ -22,7 +22,7 @@ var IteratorPrototype = utils.ImportNow("IteratorPrototype");
var iteratorSymbol = utils.ImportNow("iterator_symbol");
var MakeTypeError;
var toStringTagSymbol = utils.ImportNow("to_string_tag_symbol");
var GlobalTypedArray = %object_get_prototype_of(global.Uint8Array);
var GlobalTypedArray = global.Uint8Array.__proto__;
utils.Import(function(from) {
MakeTypeError = from.MakeTypeError;

7
src/js/typedarray.js
View File

@ -68,8 +68,6 @@ endmacro
TYPED_ARRAYS(DECLARE_GLOBALS)
var TypedArray = %object_get_prototype_of(GlobalUint8Array);
utils.Import(function(from) {
ArrayValues = from.ArrayValues;
GetIterator = from.GetIterator;
@ -810,7 +808,7 @@ function TypedArrayFrom(source, mapfn, thisArg) {
}
%FunctionSetLength(TypedArrayFrom, 1);
function TypedArrayConstructor() {
function TypedArray() {
if (IS_UNDEFINED(new.target)) {
throw MakeTypeError(kConstructorNonCallable, "TypedArray");
}
@ -821,10 +819,9 @@ function TypedArrayConstructor() {
// -------------------------------------------------------------------
%SetCode(TypedArray, TypedArrayConstructor);
%FunctionSetPrototype(TypedArray, new GlobalObject());
%AddNamedProperty(TypedArray.prototype,
"constructor", TypedArray, DONT_ENUM);
utils.InstallFunctions(TypedArray, DONT_ENUM, [
"from", TypedArrayFrom,
"of", TypedArrayOf

2
test/cctest/interpreter/bytecode_expectations/CallRuntime.golden
View File

@ -83,7 +83,7 @@ bytecodes: [
B(Star), R(0),
B(CreateArrayLiteral), U8(0), U8(0), U8(3),
B(Star), R(1),
B(CallJSRuntime), U8(120), R(0), U8(2),
B(CallJSRuntime), U8(118), R(0), U8(2),
/* 44 S> */ B(Return),
]
constant pool: [

40
test/mjsunit/regress/regress-610633.js Normal file
View File

@ -0,0 +1,40 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function getLength(a) {
return a.length;
}
function getByteLength(a) {
return a.byteLength;
}
function getByteOffset(a) {
return a.byteOffset;
}
var a = new Uint8Array([1, 2, 3]);
getLength(a);
getLength(a);
Object.defineProperty(a.__proto__, 'length', {value: 42});
assertEquals(42, getLength(a));
assertEquals(42, a.length);
getByteLength(a);
getByteLength(a);
Object.defineProperty(a.__proto__, 'byteLength', {value: 42});
assertEquals(42, getByteLength(a));
assertEquals(42, a.byteLength);
getByteOffset(a);
getByteOffset(a);
Object.defineProperty(a.__proto__, 'byteOffset', {value: 42});
assertEquals(42, getByteOffset(a));
assertEquals(42, a.byteOffset);