Version 3.30.33.14 (cherry-pick)

Merged 3d58b82addcdc72755539631b1d5dc603a9b2135 Fix for 435073: CHECK failure in CHECK(p->IsSmi()) failed. BUG=435073 LOG=N R=ishell@chromium.org Review URL: https://codereview.chromium.org/831243005 Cr-Commit-Position: refs/branch-heads/3.30@{#25268}
author: Yang Guo <yangguo@chromium.org> 2015-01-07 09:49:23 +0100
committer: Yang Guo <yangguo@chromium.org> 2015-01-07 08:49:42 +0000
commit: 87d803140135c8161ef65222281de1a0bfabf606 (patch)
tree: 166a7f022bb1ca57f1539c0e9ac46b4815aae807
parent: aee41f5d4de09a9ffc245eaea459a75331b6f94d (diff)
download: v8-87d803140135c8161ef65222281de1a0bfabf606.tar.gz
4 files changed, 51 insertions, 9 deletions
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 31fcd4ca4..1028a0761 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8301,6 +8301,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
       if (receiver_map.is_null()) return false;
       if (receiver_map->instance_type() != JS_ARRAY_TYPE) return false;
       ElementsKind elements_kind = receiver_map->elements_kind();
+      if (JSArray::IsReadOnlyLengthDescriptor(receiver_map)) return false;
       if (!IsFastElementsKind(elements_kind)) return false;
       if (receiver_map->is_observed()) return false;
       if (!receiver_map->is_extensible()) return false;
@@ -8418,6 +8419,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
       if (receiver_map.is_null()) return false;
       if (receiver_map->instance_type() != JS_ARRAY_TYPE) return false;
       ElementsKind kind = receiver_map->elements_kind();
+      if (JSArray::IsReadOnlyLengthDescriptor(receiver_map)) return false;
       if (!IsFastElementsKind(kind)) return false;
       if (receiver_map->is_observed()) return false;
       if (!receiver_map->is_extensible()) return false;
@@ -8490,10 +8492,12 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
                   graph()->GetConstant0(), new_length, Token::LT);
               HValue* key = AddUncasted<HAdd>(new_key, graph()->GetConstant1());
               key->ClearFlag(HValue::kCanOverflow);
+              ElementsKind copy_kind =
+                  kind == FAST_HOLEY_SMI_ELEMENTS ? FAST_HOLEY_ELEMENTS : kind;
               HValue* element = AddUncasted<HLoadKeyed>(
-                  elements, key, lengthiszero, kind, ALLOW_RETURN_HOLE);
-              HStoreKeyed* store = Add<HStoreKeyed>(
-                  elements, new_key, element, kind);
+                  elements, key, lengthiszero, copy_kind, ALLOW_RETURN_HOLE);
+              HStoreKeyed* store =
+                  Add<HStoreKeyed>(elements, new_key, element, copy_kind);
               store->SetFlag(HValue::kAllowUndefinedAsNaN);
             }
             loop.EndBody();
@@ -11314,11 +11318,13 @@ void HOptimizedGraphBuilder::BuildEmitFixedArray(
       site_context->ExitScope(current_site, value_object);
       Add<HStoreKeyed>(object_elements, key_constant, result, kind);
     } else {
-      HInstruction* value_instruction =
-          Add<HLoadKeyed>(boilerplate_elements, key_constant,
-                          static_cast<HValue*>(NULL), kind,
-                          ALLOW_RETURN_HOLE);
-      Add<HStoreKeyed>(object_elements, key_constant, value_instruction, kind);
+      ElementsKind copy_kind =
+          kind == FAST_HOLEY_SMI_ELEMENTS ? FAST_HOLEY_ELEMENTS : kind;
+      HInstruction* value_instruction = Add<HLoadKeyed>(
+          boilerplate_elements, key_constant, static_cast<HValue*>(NULL),
+          copy_kind, ALLOW_RETURN_HOLE);
+      Add<HStoreKeyed>(object_elements, key_constant, value_instruction,
+                       copy_kind);
     }
   }
 }
diff --git a/src/version.cc b/src/version.cc
index 81515d1ae..3a52a49ce 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     30
 #define BUILD_NUMBER      33
-#define PATCH_LEVEL       13
+#define PATCH_LEVEL       14
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
diff --git a/test/mjsunit/array-shift4.js b/test/mjsunit/array-shift4.js
new file mode 100644
index 000000000..669b11a05
--- /dev/null
+++ b/test/mjsunit/array-shift4.js
@@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Inlining shift with holey smi arrays shouldn't deopt just because it
+// encounters the hole on the copy step.
+function doShift(a) {
+  var x = a.shift();
+  return x;
+}
+
+function makeArray() {
+  var a = [1, 2,, 3];
+  a[0] = 2;
+  return a;
+}
+
+doShift(makeArray());
+doShift(makeArray());
+%OptimizeFunctionOnNextCall(doShift);
+doShift(makeArray());
+assertOptimized(doShift);
diff --git a/test/mjsunit/regress/regress-435073.js b/test/mjsunit/regress/regress-435073.js
new file mode 100644
index 000000000..dbaa612af
--- /dev/null
+++ b/test/mjsunit/regress/regress-435073.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap
+
+function test(x) { [x,,]; }
+
+test(0);
+test(0);
+%OptimizeFunctionOnNextCall(test);
+test(0);
author	Yang Guo <yangguo@chromium.org>	2015-01-07 09:49:23 +0100
committer	Yang Guo <yangguo@chromium.org>	2015-01-07 08:49:42 +0000
commit	87d803140135c8161ef65222281de1a0bfabf606 (patch)
tree	166a7f022bb1ca57f1539c0e9ac46b4815aae807
parent	aee41f5d4de09a9ffc245eaea459a75331b6f94d (diff)
download	v8-87d803140135c8161ef65222281de1a0bfabf606.tar.gz