Merged r15808, r15811 into trunk branch.
ARM: Ensure space for lazy deoptimization before calling IC.
MIPS: Ensure space for lazy deoptimization before calling IC.
BUG=247688
R=verwaest@chromium.org
Review URL: https://chromiumcodereview.appspot.com/19670016
git-svn-id: http://v8.googlecode.com/svn/trunk@15825 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
diff --git a/src/arm/lithium-codegen-arm.cc b/src/arm/lithium-codegen-arm.cc
index 9e0d59f..89eb8c8 100644
--- a/src/arm/lithium-codegen-arm.cc
+++ b/src/arm/lithium-codegen-arm.cc
@@ -277,6 +277,7 @@
instr->CompileToNative(this);
}
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
return !is_aborted();
}
@@ -676,6 +677,7 @@
LInstruction* instr,
SafepointMode safepoint_mode,
TargetAddressStorageMode storage_mode) {
+ EnsureSpaceForLazyDeopt();
ASSERT(instr != NULL);
// Block literal pool emission to ensure nop indicating no inlined smi code
// is in the correct position.
@@ -5610,12 +5612,12 @@
padding_size -= Assembler::kInstrSize;
}
}
- last_lazy_deopt_pc_ = masm()->pc_offset();
}
void LCodeGen::DoLazyBailout(LLazyBailout* instr) {
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
ASSERT(instr->HasEnvironment());
LEnvironment* env = instr->environment();
RegisterEnvironmentForDeoptimization(env, Safepoint::kLazyDeopt);
@@ -5673,6 +5675,7 @@
PredictableCodeSizeScope predictable(masm_, 2 * Assembler::kInstrSize);
CallCode(stub.GetCode(isolate()), RelocInfo::CODE_TARGET, instr);
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
__ bind(&done);
RegisterEnvironmentForDeoptimization(env, Safepoint::kLazyDeopt);
safepoints_.RecordLazyDeoptimizationIndex(env->deoptimization_index());
@@ -5685,6 +5688,7 @@
__ cmp(sp, Operand(ip));
__ b(lo, deferred_stack_check->entry());
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
__ bind(instr->done_label());
deferred_stack_check->SetExit(instr->done_label());
RegisterEnvironmentForDeoptimization(env, Safepoint::kLazyDeopt);
diff --git a/src/mips/lithium-codegen-mips.cc b/src/mips/lithium-codegen-mips.cc
index 65b4a57..29633dd 100644
--- a/src/mips/lithium-codegen-mips.cc
+++ b/src/mips/lithium-codegen-mips.cc
@@ -271,6 +271,7 @@
instr->CompileToNative(this);
}
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
return !is_aborted();
}
@@ -5615,12 +5616,12 @@
padding_size -= Assembler::kInstrSize;
}
}
- last_lazy_deopt_pc_ = masm()->pc_offset();
}
void LCodeGen::DoLazyBailout(LLazyBailout* instr) {
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
ASSERT(instr->HasEnvironment());
LEnvironment* env = instr->environment();
RegisterEnvironmentForDeoptimization(env, Safepoint::kLazyDeopt);
@@ -5676,6 +5677,7 @@
StackCheckStub stub;
CallCode(stub.GetCode(isolate()), RelocInfo::CODE_TARGET, instr);
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
__ bind(&done);
RegisterEnvironmentForDeoptimization(env, Safepoint::kLazyDeopt);
safepoints_.RecordLazyDeoptimizationIndex(env->deoptimization_index());
@@ -5687,6 +5689,7 @@
__ LoadRoot(at, Heap::kStackLimitRootIndex);
__ Branch(deferred_stack_check->entry(), lo, sp, Operand(at));
EnsureSpaceForLazyDeopt();
+ last_lazy_deopt_pc_ = masm()->pc_offset();
__ bind(instr->done_label());
deferred_stack_check->SetExit(instr->done_label());
RegisterEnvironmentForDeoptimization(env, Safepoint::kLazyDeopt);
diff --git a/src/version.cc b/src/version.cc
index 1f1ff7a..41ac37f 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 20
#define BUILD_NUMBER 7
-#define PATCH_LEVEL 0
+#define PATCH_LEVEL 1
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
diff --git a/test/mjsunit/regress/regress-247688.js b/test/mjsunit/regress/regress-247688.js
new file mode 100644
index 0000000..80e2884
--- /dev/null
+++ b/test/mjsunit/regress/regress-247688.js
@@ -0,0 +1,80 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+var a = {};
+a.x = 1
+a.y = 1.5
+
+var b = {}
+b.x = 1.5;
+b.y = 1;
+
+var c = {}
+c.x = 1.5;
+
+var d = {}
+d.x = 1.5;
+
+var e = {}
+e.x = 1.5;
+
+var f = {}
+f.x = 1.5;
+
+var g = {}
+g.x = 1.5;
+
+var h = {}
+h.x = 1.5;
+
+var i = {}
+i.x = 1.5;
+
+var o = {}
+var p = {y : 10, z : 1}
+o.__proto__ = p;
+delete p.z
+
+function foo(v, w) {
+ // Make load via IC in optimized code. Its target will get overwritten by
+ // lazy deopt patch for the stack check.
+ v.y;
+ // Make store with transition to make this code dependent on the map.
+ w.y = 1;
+ return b.y;
+}
+
+foo(o, c);
+foo(o, d);
+foo(o, e);
+%OptimizeFunctionOnNextCall(foo);
+foo(b, f);
+foo(b, g);
+foo(b, h);
+foo(a, i);