Version 7.4.288.1 (cherry-pick)
Merged 96de5eeba9b
Merged 6f2b87b8836
[TurboFan] Array.prototype.map wrong ElementsKind for output array.
Fix arm/arm64 simulator test timeouts
R=jarin@chromium.org
Bug: chromium:941743
Change-Id: Ic600c7aa3c48e873804a9b386c7672b8a05466a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1530807
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/7.4.288@{#2}
Cr-Branched-From: d077f9b5ad92b23fe4366a9bdce319a71cd1a2c5-refs/heads/master@{#60039}diff --git a/include/v8-version.h b/include/v8-version.h
index 64ae075..4f8532b 100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 7
#define V8_MINOR_VERSION 4
#define V8_BUILD_NUMBER 288
-#define V8_PATCH_LEVEL 0
+#define V8_PATCH_LEVEL 1
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
index c9ab7fb..76f6e49 100644
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -1540,6 +1540,13 @@
simplified()->LoadField(AccessBuilder::ForJSArrayLength(kind)), receiver,
effect, control);
+ // If the array length >= kMaxFastArrayLength, then CreateArray
+ // will create a dictionary. We should deopt in this case, and make sure
+ // not to attempt inlining again.
+ original_length = effect = graph()->NewNode(
+ simplified()->CheckBounds(p.feedback()), original_length,
+ jsgraph()->Constant(JSArray::kMaxFastArrayLength), effect, control);
+
// Even though {JSCreateArray} is not marked as {kNoThrow}, we can elide the
// exceptional projections because it cannot throw with the given parameters.
Node* a = control = effect = graph()->NewNode(
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
index 5997d7d..da5f4d1 100644
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -77,6 +77,9 @@
# Too slow in debug mode and under turbofan.
'regress/regress-4595': [PASS, NO_VARIANTS, ['mode == debug', SKIP]],
+ # Too slow in debug mode, due to large allocations.
+ 'regress/regress-crbug-941743': [PASS, ['mode == debug', SKIP], ['(arch == arm or arch == arm64) and simulator_run == True', SKIP]],
+
##############################################################################
# Only RegExp stuff tested, no need for extensive optimizing compiler tests.
'regexp-global': [PASS, NO_VARIANTS],
diff --git a/test/mjsunit/regress/regress-crbug-941743.js b/test/mjsunit/regress/regress-crbug-941743.js
new file mode 100644
index 0000000..8fc4ad4
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-941743.js
@@ -0,0 +1,28 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --noenable-slow-asserts
+
+// This call ensures that TurboFan won't inline array constructors.
+Array(2**30);
+
+// Set up a fast holey smi array, and generate optimized code.
+let a = [1, 2, ,,, 3];
+function mapping(a) {
+ return a.map(v => v);
+}
+mapping(a);
+mapping(a);
+%OptimizeFunctionOnNextCall(mapping);
+mapping(a);
+
+// Now lengthen the array, but ensure that it points to a non-dictionary
+// backing store.
+a.length = (32 * 1024 * 1024)-1;
+a.fill(1,0);
+a.push(2);
+a.length += 500;
+// Now, the non-inlined array constructor should produce an array with
+// dictionary elements: causing a crash.
+mapping(a);
