[v8-dev] Attempt at work-around for http://crbug.com/16276 by explicitly checking...

Mon, 13 Jul 2009 06:10:30 -0700 

Reviewers: Kevin Millikin,

Description:
Attempt at work-around for http://crbug.com/16276 by explicitly checking
for global objects in the assembly code for dictionary loads.

Please review this at http://codereview.chromium.org/155418

SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/

Affected files:
   M     src/ia32/ic-ia32.cc
   M     src/objects-inl.h
   M     src/objects.cc


Index: src/objects.cc
===================================================================
--- src/objects.cc      (revision 2430)
+++ src/objects.cc      (working copy)
@@ -1632,6 +1632,7 @@
    return *value_handle;
  }

+
  void JSObject::LookupCallbackSetterInPrototypes(String* name,
                                                  LookupResult* result) {
    for (Object* pt = GetPrototype();
@@ -1659,7 +1660,7 @@
      if (JSObject::cast(pt)->HasFastElements()) continue;
      NumberDictionary* dictionary =  
JSObject::cast(pt)->element_dictionary();
      int entry = dictionary->FindEntry(index);
-    if (entry != StringDictionary::kNotFound) {
+    if (entry != NumberDictionary::kNotFound) {
        Object* element = dictionary->ValueAt(entry);
        PropertyDetails details = dictionary->DetailsAt(entry);
        if (details.type() == CALLBACKS) {
Index: src/ia32/ic-ia32.cc
===================================================================
--- src/ia32/ic-ia32.cc (revision 2430)
+++ src/ia32/ic-ia32.cc (working copy)
@@ -75,6 +75,12 @@
    __ cmp(r0, JS_GLOBAL_PROXY_TYPE);
    __ j(equal, miss_label, not_taken);

+  // Possible work-around for http://crbug.com/16276.
+  __ cmp(r0, JS_GLOBAL_OBJECT_TYPE);
+  __ j(equal, miss_label, not_taken);
+  __ cmp(r0, JS_BUILTINS_OBJECT_TYPE);
+  __ j(equal, miss_label, not_taken);
+
    // Check that the properties array is a dictionary.
    __ mov(r0, FieldOperand(r1, JSObject::kPropertiesOffset));
    __ cmp(FieldOperand(r0, HeapObject::kMapOffset),
Index: src/objects-inl.h
===================================================================
--- src/objects-inl.h   (revision 2430)
+++ src/objects-inl.h   (working copy)
@@ -1069,6 +1069,7 @@

  void JSGlobalPropertyCell::set_value(Object* val, WriteBarrierMode  
ignored) {
    // The write barrier is not used for global property cells.
+  ASSERT(!val->IsJSGlobalPropertyCell());
    WRITE_FIELD(this, kValueOffset, val);
  }




--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to