[csa] Revert inline_allocation check in AllocateUninitializedJSArrayWithElements

This CL makes `AllocateUninitializedJSArrayWithElements` always perform inline allocation, regardless of the `v8_allocation_folding` flag. Since there are other hand crafted folded-allocations in v8 (e.g. json parser), it is hard to catch and fix them all, including this one. Also this function will trigger an IR compilation error at the moment with `V8_ALLOCATION_FOLDING_BOOL = true`. So it's better to revert it instead of fixing the compilation error and make the code more complex. PS: The `inline_allocation` check was introduced by https://chromium-review.googlesource.com/c/v8/v8/+/2946667. Change-Id: Ia88dcc23bec47a7aefb3315dd73f6d80452053b4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3017695 Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Wenyu Zhao <wenyu.zhao@anu.edu.au> Cr-Commit-Position: refs/heads/master@{#75672}
2021-07-09 15:27:04 +10:00 · 2021-07-09 15:27:04 +10:00 · e5d90561f2
commit e5d90561f2
parent 1134f9565b
1 changed files with 3 additions and 13 deletions
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@ -4019,14 +4019,9 @@ CodeStubAssembler::AllocateUninitializedJSArrayWithElements(
    // folding trick. Instead, we first allocate the elements in large object
    // space, and then allocate the JSArray (and possibly the allocation
    // memento) in new space.
-    const bool inline_allocation =
-        !V8_DISABLE_WRITE_BARRIERS_BOOL || V8_ALLOCATION_FOLDING_BOOL;
-    if ((allocation_flags & kAllowLargeObjectAllocation) ||
-        !inline_allocation) {
+    if (allocation_flags & kAllowLargeObjectAllocation) {
      Label next(this);
-      if (inline_allocation) {
-        GotoIf(IsRegularHeapObjectSize(size), &next);
-      }
+      GotoIf(IsRegularHeapObjectSize(size), &next);

      CSA_CHECK(this, IsValidFastJSArrayCapacity(capacity));

@ -4048,13 +4043,8 @@ CodeStubAssembler::AllocateUninitializedJSArrayWithElements(

      Goto(&out);

-      if (inline_allocation) {
-        BIND(&next);
-      }
+      BIND(&next);
    }
-
-    if (!inline_allocation) Unreachable();
-
    // Fold all objects into a single new space allocation.
    array =
        AllocateUninitializedJSArray(array_map, length, allocation_site, size);