[v8-dev] Only walk the hidden prototype chain for private nonexistent symbols (issue 1185373004 by [email protected])

Wed, 17 Jun 2015 02:35:19 -0700 

Reviewers: Jakob,

Message:
ptal

Description:
Only walk the hidden prototype chain for private nonexistent symbols

BUG=chromium:478612
LOG=n

Please review this at https://codereview.chromium.org/1185373004/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+20, -9 lines):
  M src/ic/handler-compiler.cc
  A + test/mjsunit/regress/regress-479528.js


Index: src/ic/handler-compiler.cc
diff --git a/src/ic/handler-compiler.cc b/src/ic/handler-compiler.cc
index 4d9d46acda7e44fb618b2f628294d5515efb8507..04b8fb0c8cd436e804b86af5ca5d29500952f3db 100644 
--- a/src/ic/handler-compiler.cc
+++ b/src/ic/handler-compiler.cc
@@ -53,6 +53,16 @@ Handle<Code> NamedLoadHandlerCompiler::ComputeLoadNonexistent( 
   while (true) {
     if (current_map->is_dictionary_map()) cache_name = name;
     if (current_map->prototype()->IsNull()) break;
+    if (name->IsPrivate()) {
+      // TODO(verwaest): Use nonexistent_private_symbol.
+      cache_name = name;
+      JSReceiver* prototype = JSReceiver::cast(current_map->prototype());
+      if (!prototype->map()->is_hidden_prototype() &&
+          !prototype->map()->IsGlobalObjectMap()) {
+        break;
+      }
+    }
+
     last = handle(JSObject::cast(current_map->prototype()));
     current_map = handle(last->map());
   }
@@ -428,8 +438,11 @@ Handle<Code> NamedStoreHandlerCompiler::CompileStoreTransition( 
   if (is_nonexistent) {
     // Find the top object.
     Handle<JSObject> last;
+    PrototypeIterator::WhereToEnd end =
+        name->IsPrivate() ? PrototypeIterator::END_AT_NON_HIDDEN
+                          : PrototypeIterator::END_AT_NULL;
     PrototypeIterator iter(isolate(), holder());
-    while (!iter.IsAtEnd()) {
+    while (!iter.IsAtEnd(end)) {
       last = Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
       iter.Advance();
     }
Index: test/mjsunit/regress/regress-479528.js
diff --git a/test/mjsunit/compiler/regress-491578.js b/test/mjsunit/regress/regress-479528.js 
similarity index 57%
copy from test/mjsunit/compiler/regress-491578.js
copy to test/mjsunit/regress/regress-479528.js
index c27570456c31e9a191fe1f4f1ea17b80f29de98e..be0dfaff45babd4e88fcf91ab0931fbfc3a59afe 100644 
--- a/test/mjsunit/compiler/regress-491578.js
+++ b/test/mjsunit/regress/regress-479528.js
@@ -4,12 +4,10 @@

 // Flags: --allow-natives-syntax

-function foo(x) {
-  if (x === undefined) return;
-  while (true) {
-    while (1 || 2) { }
-    f();
-  }
+var __v_7 = {"__proto__": this};
+__v_9 = %CreatePrivateSymbol("__v_9");
+this[__v_9] = "moo";
+function __f_5() {
+    __v_7[__v_9] = "bow-wow";
 }
-%OptimizeFunctionOnNextCall(foo);
-foo();
+__f_5();


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to