Skip to content

Commit f20fca6

Browse files
o-V8 LUCI CQ
o-
authored and
V8 LUCI CQ
committed
[ic] Disable Clone IC for unsupported elements kind
If the elements are not simple, or change in the slow case of the clone IC, then the fast case must be skipped. This is more conservative than neccessary (since some elements kinds have compatible binary layout) but also less risky. Drive-By: Update out of date comment. Bug: chromium:1488365 Change-Id: I705bd624abd8b86f8eeb2c8b1cc961229fb9122d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4905770 Reviewed-by: Camillo Bruni <[email protected]> Reviewed-by: Igor Sheludko <[email protected]> Auto-Submit: Olivier Flückiger <[email protected]> Commit-Queue: Olivier Flückiger <[email protected]> Cr-Commit-Position: refs/heads/main@{#90245}
1 parent 1b5ca51 commit f20fca6

1 file changed

Lines changed: 9 additions & 5 deletions

File tree

src/ic/ic.cc

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3170,18 +3170,22 @@ bool CanFastCloneObjectWithDifferentMaps(Handle<Map> source_map,
31703170
Handle<Map> target_map,
31713171
Isolate* isolate) {
31723172
DisallowGarbageCollection no_gc;
3173-
// TODO(olivf): Add support for non JS_OBJECT_TYPE source maps. The reason for
3174-
// this restriction is that the IC does not initialize the target object and
3175-
// instead relies on copying the source objects bytes. Thus they need to have
3176-
// the same binary layout.
3173+
// Ensure source and target have identical binary represenation of properties
3174+
// and elements as the IC relies on copying the raw bytes. This also excludes
3175+
// cases with non-enumerable properties or accessors on the source object.
31773176
if (source_map->instance_type() != JS_OBJECT_TYPE ||
31783177
target_map->instance_type() != JS_OBJECT_TYPE ||
31793178
!source_map->OnlyHasSimpleProperties() ||
3180-
!target_map->OnlyHasSimpleProperties()) {
3179+
!target_map->OnlyHasSimpleProperties() ||
3180+
source_map->elements_kind() != target_map->elements_kind() ||
3181+
!source_map->has_fast_elements()) {
31813182
return false;
31823183
}
31833184
// Check that the source inobject properties are big enough to initialize all
31843185
// target slots, but not too big to fit.
3186+
// TODO(olivf): This restriction (and the same restriction on the backing
3187+
// store) could be lifted by properly initializing the target object instead
3188+
// of relying on copying empty slots.
31853189
int source_inobj_properties = source_map->GetInObjectProperties();
31863190
int target_inobj_properties = target_map->GetInObjectProperties();
31873191
int source_used_inobj_properties =

0 commit comments

Comments
 (0)