470e68570e
This is a reland of981aafaf97It adds double checks to LoadFieldByIndex in the optimizing compiler, which are likely the source of the crashes. Original change's description: > Reland "[ic] In-place Double -> Tagged transitions" > > This is a reland of0736599a69. > This is a reland of7e1fbe8f34. > > Original change description: > > [ic] In-place Double -> Tagged transitions > > > > With no more MutableHeapNumber, we can make Double -> Tagged transitions > > in-place, at the cost of an extra map check when accessing double fields > > to make sure they are still doubles. > > > > Bug: v8:9606 > > Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973 > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#63374} > > TBR=verwaest@chromium.org, tebbi@chromium.org > > Bug: v8:9606 > Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#63499} TBR=verwaest@chromium.org Bug: v8:9606 Bug: chromium:997989 Change-Id: Iccfff8e5c6306c9ee4f6c62767dce883b1c6f743 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784288 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#63582}
128 lines
2.8 KiB
JavaScript
128 lines
2.8 KiB
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
(function doubleToTaggedWithTaggedValueStoresCorrectly() {
|
|
|
|
function setX_Double(o) { o.x = 4.2; }
|
|
|
|
function foo() {
|
|
// o.x starts off as Double
|
|
const o = { x: 0.1 };
|
|
|
|
// Write to it a few times with setX_Double, to make sure setX_Double has
|
|
// Double feedback.
|
|
setX_Double(o);
|
|
setX_Double(o);
|
|
|
|
// Transition o.x to Tagged.
|
|
o.x = {};
|
|
|
|
// setX_Double will still have Double feedback, so make sure it works with
|
|
// the new Tagged representation o.x.
|
|
setX_Double(o);
|
|
|
|
assertEquals(o.x, 4.2);
|
|
}
|
|
|
|
%EnsureFeedbackVectorForFunction(setX_Double);
|
|
foo();
|
|
|
|
})();
|
|
|
|
(function doubleToTaggedWithDoubleValueDoesNotMutate() {
|
|
|
|
function setX_Double(o) { o.x = 4.2; }
|
|
|
|
function foo() {
|
|
// o.x starts off as Double
|
|
const o = { x: 0.1 };
|
|
|
|
// Write to it a few times with setX_Double, to make sure setX_Double has
|
|
// Double feedback.
|
|
setX_Double(o);
|
|
setX_Double(o);
|
|
|
|
// Transition o.x to Tagged.
|
|
o.x = {};
|
|
|
|
// Write the HeapNumber val to o.x.
|
|
const val = 1.25;
|
|
o.x = val;
|
|
|
|
// setX_Double will still have Double feedback, which expects to be able to
|
|
// mutate o.x's HeapNumber, so make sure it does not mutate val.
|
|
setX_Double(o);
|
|
|
|
assertEquals(o.x, 4.2);
|
|
assertNotEquals(val, 4.2);
|
|
}
|
|
|
|
%EnsureFeedbackVectorForFunction(setX_Double);
|
|
foo();
|
|
|
|
})();
|
|
|
|
(function doubleToTaggedWithTaggedValueStoresSmiCorrectly() {
|
|
|
|
function setX_Smi(o) { o.x = 42; }
|
|
|
|
function foo() {
|
|
// o.x starts off as Double
|
|
const o = { x: 0.1 };
|
|
|
|
// Write to it a few times with setX_Smi, to make sure setX_Smi has
|
|
// Double feedback.
|
|
setX_Smi(o);
|
|
setX_Smi(o);
|
|
|
|
// Transition o.x to Tagged.
|
|
o.x = {};
|
|
|
|
// setX_Smi will still have Double feedback, so make sure it works with
|
|
// the new Tagged representation o.x.
|
|
setX_Smi(o);
|
|
|
|
assertEquals(o.x, 42);
|
|
}
|
|
|
|
%EnsureFeedbackVectorForFunction(setX_Smi);
|
|
foo();
|
|
|
|
})();
|
|
|
|
(function doubleToTaggedWithSmiValueDoesNotMutate() {
|
|
|
|
function setX_Smi(o) { o.x = 42; }
|
|
|
|
function foo() {
|
|
// o.x starts off as Double
|
|
const o = { x: 0.1 };
|
|
|
|
// Write to it a few times with setX_Smi, to make sure setX_Smi has
|
|
// Double feedback.
|
|
setX_Smi(o);
|
|
setX_Smi(o);
|
|
|
|
// Transition o.x to Tagged.
|
|
o.x = {};
|
|
|
|
// Write the HeapNumber val to o.x.
|
|
const val = 1.25;
|
|
o.x = val;
|
|
|
|
// setX_Smi will still have Double feedback, which expects to be able to
|
|
// mutate o.x's HeapNumber, so make sure it does not mutate val.
|
|
setX_Smi(o);
|
|
|
|
assertEquals(o.x, 42);
|
|
assertNotEquals(val, 42);
|
|
}
|
|
|
|
%EnsureFeedbackVectorForFunction(setX_Smi);
|
|
foo();
|
|
|
|
})();
|