Reviewers: ulan, Hannes Payer,
Message:
Fixes the issue Yang was seeing in v8:4359.
Description:
[GC] Align behavior of JSProxy with JSObject when embedded in optimized code
With --harmony-proxies enabled, embedded pointers in optimized code can
point to
a JSProxy (via a cell). Since JSProxy can morph into JSObject we need to
align
the expectations of weak vs strong refs.
With this patch we also treat JSPRoxy as weak ref (like JSObject) and
therefore
properly record a dependency on it, so that once the cell pointing to it
becomes
unreachable we deoptimize the corresponding code.
BUG=v8:4359
LOG=N
Please review this at https://codereview.chromium.org/1270393003/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+2, -1 lines):
M src/objects-inl.h
Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index
3a9fe2991decc352c34f79a0635ce1968a57539f..f9c0f460922fea8428b7ca6cc987ecec020e3259
100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4735,7 +4735,8 @@ bool Code::IsWeakObjectInOptimizedCode(Object*
object) {
} else if (object->IsPropertyCell()) {
object = PropertyCell::cast(object)->value();
}
- if (object->IsJSObject()) {
+ if (object->IsJSObject() || object->IsJSProxy()) {
+ // JSProxy is handled like JSObject because it can morph into one.
return FLAG_weak_embedded_objects_in_optimized_code;
}
if (object->IsFixedArray()) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
