Reviewers: Hablich,
Description:
Version 4.3.61.38 (cherry-pick)
Merged 8c298c79c2eff50b1d3809a5f72ed7d3679c47a4
Move compatible receiver check from CompileHandler to UpdateCaches
BUG=chromium:505374
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/1233593002/
Base URL: https://chromium.googlesource.com/v8/[email protected]
Affected files (+83, -6 lines):
M include/v8-version.h
M src/ic/ic.cc
M test/cctest/test-api.cc
Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index
dbbb2dcd29eff8c0fac216ceae82284a5d841599..54efa565bcf21723c3ae0045b8e233700911ff54
100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 4
#define V8_MINOR_VERSION 3
#define V8_BUILD_NUMBER 61
-#define V8_PATCH_LEVEL 37
+#define V8_PATCH_LEVEL 38
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index
0ba80d35907c536934ba37beec838afaaf2ba0ca..c6d76094bb7394da7c44ad2dac22c6d0bb91bb20
100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1111,7 +1111,39 @@ void LoadIC::UpdateCaches(LookupIterator* lookup) {
code = slow_stub();
}
} else {
- code = ComputeHandler(lookup);
+ if (lookup->state() == LookupIterator::ACCESSOR) {
+ Handle<Object> accessors = lookup->GetAccessors();
+ Handle<Map> map = receiver_map();
+ if (accessors->IsExecutableAccessorInfo()) {
+ Handle<ExecutableAccessorInfo> info =
+ Handle<ExecutableAccessorInfo>::cast(accessors);
+ if ((v8::ToCData<Address>(info->getter()) != 0) &&
+ !ExecutableAccessorInfo::IsCompatibleReceiverMap(isolate(),
info,
+ map)) {
+ TRACE_GENERIC_IC(isolate(), "LoadIC", "incompatible receiver
type");
+ code = slow_stub();
+ }
+ } else if (accessors->IsAccessorPair()) {
+ Handle<Object>
getter(Handle<AccessorPair>::cast(accessors)->getter(),
+ isolate());
+ Handle<JSObject> holder = lookup->GetHolder<JSObject>();
+ Handle<Object> receiver = lookup->GetReceiver();
+ if (getter->IsJSFunction() && holder->HasFastProperties()) {
+ Handle<JSFunction> function = Handle<JSFunction>::cast(getter);
+ if (receiver->IsJSObject() || function->IsBuiltin() ||
+ !is_sloppy(function->shared()->language_mode())) {
+ CallOptimization call_optimization(function);
+ if (call_optimization.is_simple_api_call() &&
+ !call_optimization.IsCompatibleReceiver(receiver, holder))
{
+ TRACE_GENERIC_IC(isolate(), "LoadIC",
+ "incompatible receiver type");
+ code = slow_stub();
+ }
+ }
+ }
+ }
+ }
+ if (code.is_null()) code = ComputeHandler(lookup);
}
PatchCache(lookup->name(), code);
@@ -1238,6 +1270,8 @@ Handle<Code> LoadIC::CompileHandler(LookupIterator*
lookup,
if (v8::ToCData<Address>(info->getter()) == 0) break;
if (!ExecutableAccessorInfo::IsCompatibleReceiverMap(isolate(),
info,
map)) {
+ // This case should be already handled in LoadIC::UpdateCaches.
+ UNREACHABLE();
break;
}
if (!holder->HasFastProperties()) break;
@@ -1258,10 +1292,14 @@ Handle<Code> LoadIC::CompileHandler(LookupIterator*
lookup,
}
CallOptimization call_optimization(function);
NamedLoadHandlerCompiler compiler(isolate(), map, holder,
cache_holder);
- if (call_optimization.is_simple_api_call() &&
- call_optimization.IsCompatibleReceiver(receiver, holder)) {
- return compiler.CompileLoadCallback(lookup->name(),
call_optimization,
- lookup->GetAccessorIndex());
+ if (call_optimization.is_simple_api_call()) {
+ if (call_optimization.IsCompatibleReceiver(receiver, holder)) {
+ return compiler.CompileLoadCallback(
+ lookup->name(), call_optimization,
lookup->GetAccessorIndex());
+ } else {
+ // This case should be already handled in LoadIC::UpdateCaches.
+ UNREACHABLE();
+ }
}
int expected_arguments =
function->shared()->internal_formal_parameter_count();
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index
1411d40152493e37dfd38a8118833670180fcf20..8005f35cc9acc2fb33a1aa04319475d2e257d563
100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -21927,3 +21927,42 @@ TEST(NewStringRangeError) {
}
free(buffer);
}
+
+
+TEST(CompatibleReceiverCheckOnCachedICHandler) {
+ v8::Isolate* isolate = CcTest::isolate();
+ v8::HandleScope scope(isolate);
+ v8::Local<v8::FunctionTemplate> parent = FunctionTemplate::New(isolate);
+ v8::Local<v8::Signature> signature = v8::Signature::New(isolate, parent);
+ auto returns_42 =
+ v8::FunctionTemplate::New(isolate, Returns42, Local<Value>(),
signature);
+ parent->PrototypeTemplate()->SetAccessorProperty(v8_str("age"),
returns_42);
+ v8::Local<v8::FunctionTemplate> child =
v8::FunctionTemplate::New(isolate);
+ child->Inherit(parent);
+ LocalContext env;
+ env->Global()->Set(v8_str("Child"), child->GetFunction());
+
+ // Make sure there's a compiled stub for "Child.prototype.age" in the
cache.
+ CompileRun(
+ "var real = new Child();\n"
+ "for (var i = 0; i < 3; ++i) {\n"
+ " real.age;\n"
+ "}\n");
+
+ // Check that the cached stub is never used.
+ ExpectInt32(
+ "var fake = Object.create(Child.prototype);\n"
+ "var result = 0;\n"
+ "function test(d) {\n"
+ " if (d == 3) return;\n"
+ " try {\n"
+ " fake.age;\n"
+ " result = 1;\n"
+ " } catch (e) {\n"
+ " }\n"
+ " test(d+1);\n"
+ "}\n"
+ "test(0);\n"
+ "result;\n",
+ 0);
+}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
