diff options
author | Ruben Bridgewater <ruben@bridgewater.de> | 2018-12-20 14:34:20 +0100 |
---|---|---|
committer | Daniel Bevenius <daniel.bevenius@gmail.com> | 2018-12-21 07:28:52 +0100 |
commit | 4884ca6428c0069468beea0826d228e167ad9cea (patch) | |
tree | f91ac1c7e585a0ba2efec4faf597541d0ece179e /deps/v8/src/ic | |
parent | b5784fe5d598c9c8076cacaad7105a05457b22b4 (diff) | |
download | android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.tar.gz android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.tar.bz2 android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.zip |
deps: V8: backport 3e010af
Original commit message:
[CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields
Change the macros added in bf84766a2cd3e09070adcd6228a3a487c8dc4bbd to
only do the hard work if FLAG_unbox_double_fields is unset (otherwise,
they will attempt to dereference raw float64s, which is bad!)
Also adds a write barrier in CopyPropertyArrayValues for each store if
it's possible that a MutableHeapNumber is cloned.
BUG=chromium:901301, chromium:902965, chromium:903070, v8:7611
R=cbruni@chromium.org, jkummerow@chromium.org, ishell@chromium.org
Change-Id: I224d3c4e7b0a887684bff68985b4d97021ba4cfb
Reviewed-on: https://chromium-review.googlesource.com/c/1323911
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57368}
PR-URL: https://github.com/nodejs/node/pull/25101
Refs: https://github.com/v8/v8/commit/3e010af274088493f3485d7a16dec4e31550e876
Fixes: https://github.com/nodejs/node/issues/25089
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Yang Guo <yangguo@chromium.org>
Diffstat (limited to 'deps/v8/src/ic')
-rw-r--r-- | deps/v8/src/ic/accessor-assembler.cc | 60 |
1 files changed, 41 insertions, 19 deletions
diff --git a/deps/v8/src/ic/accessor-assembler.cc b/deps/v8/src/ic/accessor-assembler.cc index 9ba5cde754..0cb326763c 100644 --- a/deps/v8/src/ic/accessor-assembler.cc +++ b/deps/v8/src/ic/accessor-assembler.cc @@ -3566,7 +3566,7 @@ void AccessorAssembler::GenerateCloneObjectIC_Slow() { void AccessorAssembler::GenerateCloneObjectIC() { typedef CloneObjectWithVectorDescriptor Descriptor; - Node* source = Parameter(Descriptor::kSource); + TNode<HeapObject> source = CAST(Parameter(Descriptor::kSource)); Node* flags = Parameter(Descriptor::kFlags); Node* slot = Parameter(Descriptor::kSlot); Node* vector = Parameter(Descriptor::kVector); @@ -3576,8 +3576,7 @@ void AccessorAssembler::GenerateCloneObjectIC() { Label miss(this, Label::kDeferred), try_polymorphic(this, Label::kDeferred), try_megamorphic(this, Label::kDeferred); - CSA_SLOW_ASSERT(this, TaggedIsNotSmi(source)); - Node* source_map = LoadMap(UncheckedCast<HeapObject>(source)); + TNode<Map> source_map = LoadMap(UncheckedCast<HeapObject>(source)); GotoIf(IsDeprecatedMap(source_map), &miss); TNode<MaybeObject> feedback = TryMonomorphicCase( slot, vector, source_map, &if_handler, &var_handler, &try_polymorphic); @@ -3598,7 +3597,7 @@ void AccessorAssembler::GenerateCloneObjectIC() { // The IC fast case should only be taken if the result map a compatible // elements kind with the source object. - TNode<FixedArrayBase> source_elements = LoadElements(source); + TNode<FixedArrayBase> source_elements = LoadElements(CAST(source)); auto flags = ExtractFixedArrayFlag::kAllFixedArraysDontCopyCOW; var_elements = CAST(CloneFixedArray(source_elements, flags)); @@ -3633,22 +3632,45 @@ void AccessorAssembler::GenerateCloneObjectIC() { // Lastly, clone any in-object properties. // Determine the inobject property capacity of both objects, and copy the // smaller number into the resulting object. - Node* source_start = LoadMapInobjectPropertiesStartInWords(source_map); - Node* source_size = LoadMapInstanceSizeInWords(source_map); - Node* result_start = LoadMapInobjectPropertiesStartInWords(result_map); - Node* field_offset_difference = + TNode<IntPtrT> source_start = + LoadMapInobjectPropertiesStartInWords(source_map); + TNode<IntPtrT> source_size = LoadMapInstanceSizeInWords(source_map); + TNode<IntPtrT> result_start = + LoadMapInobjectPropertiesStartInWords(result_map); + TNode<IntPtrT> field_offset_difference = TimesPointerSize(IntPtrSub(result_start, source_start)); - BuildFastLoop(source_start, source_size, - [=](Node* field_index) { - Node* field_offset = TimesPointerSize(field_index); - TNode<Object> field = LoadObjectField(source, field_offset); - field = CloneIfMutablePrimitive(field); - Node* result_offset = - IntPtrAdd(field_offset, field_offset_difference); - StoreObjectFieldNoWriteBarrier(object, result_offset, - field); - }, - 1, INTPTR_PARAMETERS, IndexAdvanceMode::kPost); + + // If MutableHeapNumbers may be present in-object, allocations may occur + // within this loop, thus the write barrier is required. + // + // TODO(caitp): skip the write barrier until the first MutableHeapNumber + // field is found + const bool may_use_mutable_heap_numbers = !FLAG_unbox_double_fields; + + BuildFastLoop( + source_start, source_size, + [=](Node* field_index) { + TNode<IntPtrT> field_offset = + TimesPointerSize(UncheckedCast<IntPtrT>(field_index)); + + if (may_use_mutable_heap_numbers) { + TNode<Object> field = LoadObjectField(source, field_offset); + field = CloneIfMutablePrimitive(field); + TNode<IntPtrT> result_offset = + IntPtrAdd(field_offset, field_offset_difference); + StoreObjectField(object, result_offset, field); + } else { + // Copy fields as raw data. + TNode<IntPtrT> field = UncheckedCast<IntPtrT>( + LoadObjectField(source, field_offset, MachineType::IntPtr())); + TNode<IntPtrT> result_offset = + IntPtrAdd(field_offset, field_offset_difference); + StoreObjectFieldNoWriteBarrier( + object, result_offset, field, + MachineType::IntPtr().representation()); + } + }, + 1, INTPTR_PARAMETERS, IndexAdvanceMode::kPost); Return(object); } |