mirror
/
electron
mirror of https://github.com/electron/electron
1
0
Fork 0
Code Issues Releases Activity
electron/patches/v8/cherry-pick-038530c94a06.patch

77 lines
4.2 KiB
Diff
Raw Permalink Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tobias Tebbi <tebbi@chromium.org>
Date: Wed, 30 Aug 2023 10:59:48 +0200
Subject: Merged: [turbofan] Growing a non-JSArray packed elements kind makes
it holey
Bug: chromium:1473247
(cherry picked from commit ae7dc61652805bc8e2b060d53b2b6da7cf846b6f)
Change-Id: I5268513bc91ca0cc18e3e2115244c0b090afa0da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4831892
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.6@{#34}
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3}
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340}
diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
index c1e781eb5bbada68af9b1a8859dc55e69177391c..fe7254ba11f3feb62a90a2929a65f74dbf483500 100644
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -3446,15 +3446,21 @@ JSNativeContextSpecialization::BuildElementAccess(
// the (potential) backing store growth would normalize and thus
// the elements kind of the {receiver} would change to slow mode.
//
- // For PACKED_*_ELEMENTS the {index} must be within the range
+ // For JSArray PACKED_*_ELEMENTS the {index} must be within the range
// [0,length+1[ to be valid. In case {index} equals {length},
// the {receiver} will be extended, but kept packed.
+ //
+ // Non-JSArray PACKED_*_ELEMENTS always grow by adding holes because they
+ // lack the magical length property, which requires a map transition.
+ // So we can assume that this did not happen if we did not see this map.
Node* limit =
IsHoleyElementsKind(elements_kind)
? graph()->NewNode(simplified()->NumberAdd(), elements_length,
jsgraph()->Constant(JSObject::kMaxGap))
- : graph()->NewNode(simplified()->NumberAdd(), length,
- jsgraph()->OneConstant());
+ : receiver_is_jsarray
+ ? graph()->NewNode(simplified()->NumberAdd(), length,
+ jsgraph()->OneConstant())
+ : elements_length;
index = effect = graph()->NewNode(
simplified()->CheckBounds(
FeedbackSource(), CheckBoundsFlag::kConvertStringAndMinusZero),
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
index 39e2da67e7689c0f9c8fe5bfe80995c8a1755d73..7b68da797e49bc62669eda48f7abe8ff04d7cc50 100644
--- a/src/maglev/maglev-graph-builder.cc
+++ b/src/maglev/maglev-graph-builder.cc
@@ -3725,14 +3725,20 @@ ReduceResult MaglevGraphBuilder::TryBuildElementStoreOnJSArrayOrJSObject(
// the (potential) backing store growth would normalize and thus
// the elements kind of the {receiver} would change to slow mode.
//
- // For PACKED_*_ELEMENTS the {index} must be within the range
+ // For JSArray PACKED_*_ELEMENTS the {index} must be within the range
// [0,length+1[ to be valid. In case {index} equals {length},
// the {receiver} will be extended, but kept packed.
+ //
+ // Non-JSArray PACKED_*_ELEMENTS always grow by adding holes because they
+ // lack the magical length property, which requires a map transition.
+ // So we can assume that this did not happen if we did not see this map.
ValueNode* limit =
IsHoleyElementsKind(elements_kind)
? AddNewNode<Int32AddWithOverflow>(
{elements_array_length, GetInt32Constant(JSObject::kMaxGap)})
- : AddNewNode<Int32AddWithOverflow>({length, GetInt32Constant(1)});
+ : is_jsarray
+ ? AddNewNode<Int32AddWithOverflow>({length, GetInt32Constant(1)})
+ : elements_array_length;
AddNewNode<CheckBounds>({index, limit});
// Grow backing store if necessary and handle COW.
View Git Blame Copy Permalink