From 6b4b0624894ed91e4dcbf708431da78cadd83da8 Mon Sep 17 00:00:00 2001 From: cbruni Date: Wed, 26 Apr 2017 07:53:21 -0700 Subject: [PATCH] Revert of [turbofan] Set proper representation for initial arguments length. (patchset #1 id:1 of https://codereview.chromium.org/2810333004/ ) Reason for revert: Field representation is not preserved Original issue's description: > [turbofan] Set proper representation for initial arguments length. > > The JSArgumentsObject::length representation is initially Smi, so we can > record that on the initial map and use it to optimize the accesses in > TurboFan based on that. Similar for JSSloppyArgumentsObject::caller. > > BUG=v8:6262 > R=yangguo@chromium.org > > Review-Url: https://codereview.chromium.org/2810333004 > Cr-Commit-Position: refs/heads/master@{#44644} > Committed: https://chromium.googlesource.com/v8/v8/+/5eec7df9b319e5b7a8158d82825d61e90a7cfe33 TBR=yangguo@chromium.org,bmeurer@chromium.org # Not skipping CQ checks because original CL landed more than 1 days ago. BUG=v8:6262 Review-Url: https://codereview.chromium.org/2825323002 Cr-Commit-Position: refs/heads/master@{#44893} --- src/bootstrapper.cc | 6 +++--- src/compiler/access-builder.cc | 4 ++-- test/mjsunit/arguments.js | 14 ++++++++++++++ 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc index 0263ddc1d4d6..761676aa8e96 100644 --- a/src/bootstrapper.cc +++ b/src/bootstrapper.cc @@ -3072,13 +3072,13 @@ void Genesis::InitializeGlobal(Handle global_object, { // length Descriptor d = Descriptor::DataField( factory->length_string(), JSSloppyArgumentsObject::kLengthIndex, - DONT_ENUM, Representation::Smi()); + DONT_ENUM, Representation::Tagged()); map->AppendDescriptor(&d); } { // callee Descriptor d = Descriptor::DataField( factory->callee_string(), JSSloppyArgumentsObject::kCalleeIndex, - DONT_ENUM, Representation::HeapObject()); + DONT_ENUM, Representation::Tagged()); map->AppendDescriptor(&d); } // @@iterator method is added later. @@ -3129,7 +3129,7 @@ void Genesis::InitializeGlobal(Handle global_object, { // length Descriptor d = Descriptor::DataField( factory->length_string(), JSStrictArgumentsObject::kLengthIndex, - DONT_ENUM, Representation::Smi()); + DONT_ENUM, Representation::Tagged()); map->AppendDescriptor(&d); } { // callee diff --git a/src/compiler/access-builder.cc b/src/compiler/access-builder.cc index 0a58bcdb6a41..11925a84db14 100644 --- a/src/compiler/access-builder.cc +++ b/src/compiler/access-builder.cc @@ -716,8 +716,8 @@ FieldAccess AccessBuilder::ForValue() { FieldAccess AccessBuilder::ForArgumentsLength() { FieldAccess access = {kTaggedBase, JSArgumentsObject::kLengthOffset, Handle(), MaybeHandle(), - Type::SignedSmall(), MachineType::TaggedSigned(), - kNoWriteBarrier}; + Type::NonInternal(), MachineType::AnyTagged(), + kFullWriteBarrier}; return access; } diff --git a/test/mjsunit/arguments.js b/test/mjsunit/arguments.js index 97ec7cca6d9c..8cdc0608e7d8 100644 --- a/test/mjsunit/arguments.js +++ b/test/mjsunit/arguments.js @@ -271,3 +271,17 @@ assertEquals(117, arg_set(0xFFFFFFFF)); assertEquals(undefined, args[key]); assertEquals(2, args.length); })(); + +(function testSloppyArgumentsLengthMapChange() { + function f(a) { return arguments }; + let args1 = f(1); + let args2 = f(1,2); + assertTrue(%HaveSameMap(args1, args2)); + // Changing the length type doesn't causes a map transition. + args2.length = 12; + assertTrue(%HaveSameMap(args1, args2)); + args2.length = 12.0; + assertTrue(%HaveSameMap(args1, args2)); + args2.length = "aa" + assertTrue(%HaveSameMap(args1, args2)); +})();