The Array function must be looked up in the native context.

Platforms x64, a64, arm and mips had the bug that the array function was looked up in the global context instead of the native context. Fix this, restoring a weakened assert in hydrogen along the way (by the fix for crbug 347528, which helped find this case). R=dcarney@chromium.org Review URL: https://codereview.chromium.org/184383003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19597 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 10:39:36 +00:00 · 2014-02-28 10:39:36 +00:00 · df988c7f6b
commit df988c7f6b
parent 2aa5ac9311
16 changed files with 14 additions and 80 deletions
--- a/src/a64/code-stubs-a64.cc
+++ b/src/a64/code-stubs-a64.cc
@ -3290,7 +3290,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  __ JumpIfNotRoot(x5, Heap::kAllocationSiteMapRootIndex, &miss);

  // Make sure the function is the Array() function
-  __ LoadArrayFunction(x4);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, x4);
  __ Cmp(x1, x4);
  __ B(ne, &megamorphic);
  __ B(&done);
@ -3312,7 +3312,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  // indicate the ElementsKind if function is the Array constructor.
  __ Bind(&initialize);
  // Make sure the function is the Array() function
-  __ LoadArrayFunction(x4);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, x4);
  __ Cmp(x1, x4);
  __ B(ne, &not_array_function);

--- a/src/a64/macro-assembler-a64.cc
+++ b/src/a64/macro-assembler-a64.cc
@ -4712,17 +4712,6 @@ void MacroAssembler::LoadTransitionedArrayMapConditional(
 }


-void MacroAssembler::LoadArrayFunction(Register function) {
-  // Load the global or builtins object from the current context.
-  Ldr(function, GlobalObjectMemOperand());
-  // Load the global context from the global or builtins object.
-  Ldr(function,
-      FieldMemOperand(function, GlobalObject::kGlobalContextOffset));
-  // Load the array function from the native context.
-  Ldr(function, ContextMemOperand(function, Context::ARRAY_FUNCTION_INDEX));
-}
-
-
 void MacroAssembler::LoadGlobalFunction(int index, Register function) {
  // Load the global or builtins object from the current context.
  Ldr(function, GlobalObjectMemOperand());
--- a/src/a64/macro-assembler-a64.h
+++ b/src/a64/macro-assembler-a64.h
@ -1888,7 +1888,6 @@ class MacroAssembler : public Assembler {
      Register scratch,
      Label* no_map_match);

-  void LoadArrayFunction(Register function);
  void LoadGlobalFunction(int index, Register function);

  // Load the initial map from the global function. The registers function and
--- a/src/arm/code-stubs-arm.cc
+++ b/src/arm/code-stubs-arm.cc
@ -3037,7 +3037,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  __ b(ne, &miss);

  // Make sure the function is the Array() function
-  __ LoadArrayFunction(r4);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, r4);
  __ cmp(r1, r4);
  __ b(ne, &megamorphic);
  __ jmp(&done);
@ -3060,7 +3060,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  // indicate the ElementsKind if function is the Array constructor.
  __ bind(&initialize);
  // Make sure the function is the Array() function
-  __ LoadArrayFunction(r4);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, r4);
  __ cmp(r1, r4);
  __ b(ne, &not_array_function);

--- a/src/arm/macro-assembler-arm.cc
+++ b/src/arm/macro-assembler-arm.cc
@ -2902,19 +2902,6 @@ void MacroAssembler::LoadGlobalFunction(int index, Register function) {
 }


-void MacroAssembler::LoadArrayFunction(Register function) {
-  // Load the global or builtins object from the current context.
-  ldr(function,
-      MemOperand(cp, Context::SlotOffset(Context::GLOBAL_OBJECT_INDEX)));
-  // Load the global context from the global or builtins object.
-  ldr(function,
-      FieldMemOperand(function, GlobalObject::kGlobalContextOffset));
-  // Load the array function from the native context.
-  ldr(function,
-      MemOperand(function, Context::SlotOffset(Context::ARRAY_FUNCTION_INDEX)));
-}
-
-
 void MacroAssembler::LoadGlobalFunctionInitialMap(Register function,
                                                  Register map,
                                                  Register scratch) {
--- a/src/arm/macro-assembler-arm.h
+++ b/src/arm/macro-assembler-arm.h
@ -571,7 +571,6 @@ class MacroAssembler: public Assembler {
      Label* no_map_match);

  void LoadGlobalFunction(int index, Register function);
-  void LoadArrayFunction(Register function);

  // Load the initial map from the global function. The registers
  // function and map can be the same, function is then overwritten.
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -8225,15 +8225,14 @@ static bool IsAllocationInlineable(Handle<JSFunction> constructor) {


 bool HOptimizedGraphBuilder::IsCallNewArrayInlineable(CallNew* expr) {
-  Handle<AllocationSite> site = expr->allocation_site();
-  if (site.is_null()) return false;
-
  Handle<JSFunction> caller = current_info()->closure();
  Handle<JSFunction> target(isolate()->native_context()->array_function(),
                            isolate());
  int argument_count = expr->arguments()->length();
  // We should have the function plus array arguments on the environment stack.
  ASSERT(environment()->length() >= (argument_count + 1));
+  Handle<AllocationSite> site = expr->allocation_site();
+  ASSERT(!site.is_null());

  bool inline_ok = false;
  if (site->CanInlineCall()) {
--- a/src/ia32/code-stubs-ia32.cc
+++ b/src/ia32/code-stubs-ia32.cc
@ -2352,11 +2352,9 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  __ cmp(FieldOperand(ecx, 0), Immediate(allocation_site_map));
  __ j(not_equal, &miss);

-  // Load the global or builtins object from the current context
-  __ LoadGlobalContext(ecx);
  // Make sure the function is the Array() function
-  __ cmp(edi, Operand(ecx,
-                      Context::SlotOffset(Context::ARRAY_FUNCTION_INDEX)));
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, ecx);
+  __ cmp(edi, ecx);
  __ j(not_equal, &megamorphic);
  __ jmp(&done, Label::kFar);

@ -2377,10 +2375,9 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  // An uninitialized cache is patched with the function or sentinel to
  // indicate the ElementsKind if function is the Array constructor.
  __ bind(&initialize);
-  __ LoadGlobalContext(ecx);
  // Make sure the function is the Array() function
-  __ cmp(edi, Operand(ecx,
-                      Context::SlotOffset(Context::ARRAY_FUNCTION_INDEX)));
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, ecx);
+  __ cmp(edi, ecx);
  __ j(not_equal, &not_array_function);

  // The target function is the Array constructor,
--- a/src/ia32/macro-assembler-ia32.cc
+++ b/src/ia32/macro-assembler-ia32.cc
@ -2689,16 +2689,6 @@ void MacroAssembler::LoadTransitionedArrayMapConditional(
 }


-void MacroAssembler::LoadGlobalContext(Register global_context) {
-  // Load the global or builtins object from the current context.
-  mov(global_context,
-      Operand(esi, Context::SlotOffset(Context::GLOBAL_OBJECT_INDEX)));
-  // Load the native context from the global or builtins object.
-  mov(global_context,
-      FieldOperand(global_context, GlobalObject::kNativeContextOffset));
-}
-
-
 void MacroAssembler::LoadGlobalFunction(int index, Register function) {
  // Load the global or builtins object from the current context.
  mov(function,
--- a/src/ia32/macro-assembler-ia32.h
+++ b/src/ia32/macro-assembler-ia32.h
@ -262,8 +262,6 @@ class MacroAssembler: public Assembler {
      Register scratch,
      Label* no_map_match);

-  void LoadGlobalContext(Register global_context);
-
  // Load the global function with the given index.
  void LoadGlobalFunction(int index, Register function);

--- a/src/mips/code-stubs-mips.cc
+++ b/src/mips/code-stubs-mips.cc
@ -3184,7 +3184,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  __ Branch(&miss, ne, t1, Operand(at));

  // Make sure the function is the Array() function
-  __ LoadArrayFunction(t0);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, t0);
  __ Branch(&megamorphic, ne, a1, Operand(t0));
  __ jmp(&done);

@ -3207,7 +3207,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  // indicate the ElementsKind if function is the Array constructor.
  __ bind(&initialize);
  // Make sure the function is the Array() function
-  __ LoadArrayFunction(t0);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, t0);
  __ Branch(&not_array_function, ne, a1, Operand(t0));

  // The target function is the Array constructor.
--- a/src/mips/macro-assembler-mips.cc
+++ b/src/mips/macro-assembler-mips.cc
@ -4442,19 +4442,6 @@ void MacroAssembler::LoadGlobalFunction(int index, Register function) {
 }


-void MacroAssembler::LoadArrayFunction(Register function) {
-  // Load the global or builtins object from the current context.
-  lw(function,
-     MemOperand(cp, Context::SlotOffset(Context::GLOBAL_OBJECT_INDEX)));
-  // Load the global context from the global or builtins object.
-  lw(function,
-     FieldMemOperand(function, GlobalObject::kGlobalContextOffset));
-  // Load the array function from the native context.
-  lw(function,
-     MemOperand(function, Context::SlotOffset(Context::ARRAY_FUNCTION_INDEX)));
-}
-
-
 void MacroAssembler::LoadGlobalFunctionInitialMap(Register function,
                                                  Register map,
                                                  Register scratch) {
--- a/src/mips/macro-assembler-mips.h
+++ b/src/mips/macro-assembler-mips.h
@ -872,7 +872,6 @@ class MacroAssembler: public Assembler {
      Label* no_map_match);

  void LoadGlobalFunction(int index, Register function);
-  void LoadArrayFunction(Register function);

  // Load the initial map from the global function. The registers
  // function and map can be the same, function is then overwritten.
--- a/src/x64/code-stubs-x64.cc
+++ b/src/x64/code-stubs-x64.cc
@ -2194,7 +2194,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  __ j(not_equal, &miss);

  // Make sure the function is the Array() function
-  __ LoadArrayFunction(rcx);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, rcx);
  __ cmpq(rdi, rcx);
  __ j(not_equal, &megamorphic);
  __ jmp(&done);
@ -2216,7 +2216,7 @@ static void GenerateRecordCallTarget(MacroAssembler* masm) {
  // indicate the ElementsKind if function is the Array constructor.
  __ bind(&initialize);
  // Make sure the function is the Array() function
-  __ LoadArrayFunction(rcx);
+  __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, rcx);
  __ cmpq(rdi, rcx);
  __ j(not_equal, &not_array_function);

--- a/src/x64/macro-assembler-x64.cc
+++ b/src/x64/macro-assembler-x64.cc
@ -4547,15 +4547,6 @@ void MacroAssembler::LoadGlobalFunction(int index, Register function) {
 }


-void MacroAssembler::LoadArrayFunction(Register function) {
-  movp(function,
-       Operand(rsi, Context::SlotOffset(Context::GLOBAL_OBJECT_INDEX)));
-  movp(function, FieldOperand(function, GlobalObject::kGlobalContextOffset));
-  movp(function,
-       Operand(function, Context::SlotOffset(Context::ARRAY_FUNCTION_INDEX)));
-}
-
-
 void MacroAssembler::LoadGlobalFunctionInitialMap(Register function,
                                                  Register map) {
  // Load the initial map.  The global functions all have initial maps.
--- a/src/x64/macro-assembler-x64.h
+++ b/src/x64/macro-assembler-x64.h
@ -1236,7 +1236,6 @@ class MacroAssembler: public Assembler {

  // Load the global function with the given index.
  void LoadGlobalFunction(int index, Register function);
-  void LoadArrayFunction(Register function);

  // Load the initial map from the global function. The registers
  // function and map can be the same.