Skip to content

Commit 66c754d

Browse files
DadaIsCrazyV8 LUCI CQ
DadaIsCrazy
authored and
V8 LUCI CQ
committed
[turboshaft] Fix Load Elimination bug when overwritting maps
So far, LateLoadElimination was assuming that maps would never change after a AssumeMap. However, it can happen that a map is updated in-place with a regular Store (typically, because of a transitioning store). Bug: 42202729 Change-Id: I31e453324645fb91dcf870db12d49f0de64d0ad8 Fixed: 340663085 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5537918 Auto-Submit: Darius Mercadier <dmercadier@chromium.org> Commit-Queue: Darius Mercadier <dmercadier@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/main@{#93912}
1 parent 566f734 commit 66c754d

File tree

2 files changed

+37
-2
lines changed

2 files changed

+37
-2
lines changed

src/compiler/turboshaft/late-load-elimination-reducer.cc

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -356,16 +356,22 @@ void LateLoadEliminationAnalyzer::ProcessStore(OpIndex op_idx,
356356
return;
357357
}
358358

359-
OpIndex value = store.value();
360-
361359
// Updating the known stored values.
362360
if (!invalidate_maybe_aliasing) memory_.Invalidate(store);
363361
memory_.Insert(store);
364362

365363
// Updating aliases if the value stored was known as non-aliasing.
364+
OpIndex value = store.value();
366365
if (non_aliasing_objects_.HasKeyFor(value)) {
367366
non_aliasing_objects_.Set(value, false);
368367
}
368+
369+
// If we just stored a map, invalidate the maps for this base.
370+
if (store.offset == HeapObject::kMapOffset && !store.index().valid()) {
371+
if (object_maps_.HasKeyFor(store.base())) {
372+
object_maps_.Set(store.base(), MapMaskAndOr{});
373+
}
374+
}
369375
}
370376

371377
// Since we only loosely keep track of what can or can't alias, we assume that

test/mjsunit/compiler/regress-340663085.js

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
// Copyright 2024 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
function f(b) {
6+
var v1 = {};
7+
v1.prop0 = 1;
8+
9+
var v2 = {};
10+
v2.prop0 = 1;
11+
12+
if (b) {
13+
v2 = v1;
14+
}
15+
16+
(function (v3) {
17+
v3.prop0;
18+
v2.a = 11;
19+
v2.b = 12;
20+
v3.x = 21;
21+
v2.y = 22;
22+
})(v1);
23+
24+
return v2.x;
25+
}
26+
27+
assertEquals(undefined, f());
28+
assertEquals(21, f(true));
29+
assertEquals(21, f(true));

0 commit comments

Comments
 (0)