Reviewers: Mads Ager, Message: rev 501 missed these "property" lookups, can you please review?
Description: Fix CALL_IC to read properties out of the object in the presence of in-object properties instead of always going to read out of the properties array. Please review this at http://codereview.chromium.org/6607 Affected files: M src/stub-cache-arm.cc M src/stub-cache-ia32.cc Index: src/stub-cache-ia32.cc =================================================================== --- src/stub-cache-ia32.cc (revision 501) +++ src/stub-cache-ia32.cc (working copy) @@ -499,10 +499,19 @@ Register reg = __ CheckMaps(JSObject::cast(object), edx, holder, ebx, ecx, &miss); - // Get the properties array of the holder and get the function from the field. - int offset = index * kPointerSize + Array::kHeaderSize; - __ mov(edi, FieldOperand(reg, JSObject::kPropertiesOffset)); - __ mov(edi, FieldOperand(edi, offset)); + // Adjust for the number of properties stored in the holder. + index -= holder->map()->inobject_properties(); + if (index < 0) { + // Get the property straight out of the holder. + int offset = holder->map()->instance_size() + (index * kPointerSize); + __ mov(edi, FieldOperand(reg, offset)); + } else { + // Get the properties array of the holder and get the function from + // the field. + int offset = index * kPointerSize + Array::kHeaderSize; + __ mov(edi, FieldOperand(reg, JSObject::kPropertiesOffset)); + __ mov(edi, FieldOperand(edi, offset)); + } // Check that the function really is a function. __ test(edi, Immediate(kSmiTagMask)); Index: src/stub-cache-arm.cc =================================================================== --- src/stub-cache-arm.cc (revision 502) +++ src/stub-cache-arm.cc (working copy) @@ -209,10 +209,19 @@ Register reg = __ CheckMaps(JSObject::cast(object), r1, holder, r3, r2, &miss); - // Get the properties array of the holder and get the function from the field. - int offset = index * kPointerSize + Array::kHeaderSize; - __ ldr(r1, FieldMemOperand(reg, JSObject::kPropertiesOffset)); - __ ldr(r1, FieldMemOperand(r1, offset)); + // Adjust for the number of properties stored in the holder. + index -= holder->map()->inobject_properties(); + if (index < 0) { + // Get the property straight out of the holder. + int offset = holder->map()->instance_size() + (index * kPointerSize); + __ ldr(r1, FieldMemOperand(reg, offset)); + } else { + // Get the properties array of the holder and get the function from + // the field. + int offset = index * kPointerSize + Array::kHeaderSize; + __ ldr(r1, FieldMemOperand(reg, JSObject::kPropertiesOffset)); + __ ldr(r1, FieldMemOperand(r1, offset)); + } // Check that the function really is a function. __ tst(r1, Operand(kSmiTagMask)); --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
