Status: Accepted
Owner: [email protected]
Labels: Type-Bug Priority-Medium
New issue 1551 by [email protected]: Some instance type checks wrong in
the presence of proxies
http://code.google.com/p/v8/issues/detail?id=1551
There are a number of places where an instance type check has not been
adapted properly to the new class and type hierarchy including proxies.
They will likely crash on proxies. We need enough test cases to cover these.
A couple of examples from Mads:
ic-ia32.cc:GenerateKeyedLoadReceiverCheck
// Check that the object is some kind of JS object EXCEPT JS Value type.
// In the case that the object is a value-wrapper object,
// we enter the runtime system to make sure that indexing
// into string objects works as intended.
ASSERT(JS_OBJECT_TYPE > JS_VALUE_TYPE);
__ CmpInstanceType(map, JS_OBJECT_TYPE);
__ j(below, slow);
We then go on to load the elements at the use site.
stub-cache-ia32.cc: GenerateDictionaryNegativeLookup
// Check that receiver is a JSObject.
__ CmpInstanceType(r0, FIRST_SPEC_OBJECT_TYPE);
__ j(below, miss_label);
// Load properties array.
Register properties = r0;
__ mov(properties, FieldOperand(receiver, JSObject::kPropertiesOffset));
I will be adding another one to the arguments ICs. It seems that more
cleanup is needed here and better abstractions for checking the right thing
in generated code. We should add tests that gets through all of these
places with proxies as receivers. I think a good deal of time should be
invested in writing such tests.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
