Reviewers: bak, Description: Fix issue with skipping global object during lookup through the prototype chain. In case we're skipping a global object, we have to be careful not to use ICs for the load, because it's possible to introduce variables on the global object without a map change.
Please review this at http://codereview.chromium.org/149316 SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/ Affected files: M src/objects.cc A test/mjsunit/global-deleted-property-ic.js Index: test/mjsunit/global-deleted-property-ic.js =================================================================== --- test/mjsunit/global-deleted-property-ic.js (revision 0) +++ test/mjsunit/global-deleted-property-ic.js (revision 0) @@ -0,0 +1,53 @@ +// Copyright 2009 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +function LoadX(obj) { return obj.x; } + +// Load x from the prototype of this. Make sure to initialize the IC. +this.__proto__ = { x: 42 }; +assertEquals(42, LoadX(this)); +assertEquals(42, LoadX(this)); +assertEquals(42, LoadX(this)); + +// Introduce a global variable and make sure we load that from LoadX. +this.x = 87; +assertEquals(87, LoadX(this)); +assertEquals(87, LoadX(this)); +assertEquals(87, LoadX(this)); + +// Delete the global variable and make sure we get back to loading from +// the prototype. +delete this.x; +assertEquals(42, LoadX(this)); +assertEquals(42, LoadX(this)); +assertEquals(42, LoadX(this)); + +// ... and go back again to loading directly from the object. +this.x = 99; +assertEquals(99, LoadX(this)); +assertEquals(99, LoadX(this)); +assertEquals(99, LoadX(this)); Index: src/objects.cc =================================================================== --- src/objects.cc (revision 2384) +++ src/objects.cc (working copy) @@ -1711,6 +1711,10 @@ if (IsGlobalObject()) { PropertyDetails d = property_dictionary()->DetailsAt(entry); if (d.IsDeleted()) { + // We've skipped a global object during lookup, so we cannot + // use inline caching because the map of the global object + // doesn't change if the property should be re-added. + result->DisallowCaching(); result->NotFound(); return; } --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
