Reviewers: Mads Ager,
Description:
Handle overwriting valueOf on String objects correctly when adding
This adds a check to the fast case string add to ensure that the String
object
still have the default valueOf function. The default valueOf is sitting on a
hidden prototype of String.prototype.
Before using the fast case valueOf the object is checked for a local valueOf
property. For slow case objects this check always reports true (the
dictionary
is not probed, so valueOf might be there) and for fast case objects the
descriptor array is checked for the valueOf symbol (just liniar scan). After
that the prototype is checked for beeing the initial value of
String.prototype.
If this all pass (that is the default valueOf is still in place) this
result is
cached on the map making the check fast the next time.
This is only implemented in the optimizing compiler, as the two usages of
%_IsStringWrapperSafeForDefaultValueOf is never hit by the full compiler.
I will port to x64 and ARM when this has been reviewed for ia32.
I will remove the performance counters prior to final commit.
BUG=http://code.google.com/p/v8/issues/detail?id=760
TEST=test/mjsunit/regress/regress-760-1.js
TEST=test/mjsunit/regress/regress-760-2.js
Please review this at http://codereview.chromium.org/3117006/show
SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/
Affected files:
M src/bootstrapper.cc
M src/codegen.h
M src/contexts.h
M src/full-codegen.h
M src/full-codegen.cc
M src/ia32/codegen-ia32.h
M src/ia32/codegen-ia32.cc
M src/ia32/full-codegen-ia32.cc
M src/objects.h
M src/runtime.js
M src/v8-counters.h
A test/mjsunit/regress/regress-760-1.js
A test/mjsunit/regress/regress-760-2.js
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
