Reviewers: Jakob,
Description:
Fix crash in CALLBACK KeyedIC stub.
[email protected]
Please review this at https://chromiumcodereview.appspot.com/9390005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/ic.cc
Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index
ef3fc2c86b6d8e76dbfcd2d3f027fad5ee70ca9a..f774b928ce7c7656b19bdc7d69abb103ae218967
100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1504,6 +1504,14 @@ Handle<Code> KeyedIC::ComputeStub(Handle<JSObject>
receiver,
? ALLOW_JSARRAY_GROWTH
: DO_NOT_ALLOW_JSARRAY_GROWTH;
+ // Don't handle megamorphic property accesses for INTERCEPTORS or
CALLBACKS
+ // via megamorphic stubs, since they don't have a map in their
relocation info
+ // and so the stubs can't be harvested for the object needed for a map
check.
+ if (target()->type() != NORMAL) {
+ TRACE_GENERIC_IC("KeyedIC", "non-NORMAL target type");
+ return generic_stub;
+ }
+
bool monomorphic = false;
MapHandleList target_receiver_maps;
if (ic_state != UNINITIALIZED && ic_state != PREMONOMORPHIC) {
@@ -1534,14 +1542,6 @@ Handle<Code> KeyedIC::ComputeStub(Handle<JSObject>
receiver,
}
ASSERT(target() != *generic_stub);
- // Don't handle megamorphic property accesses for INTERCEPTORS or
CALLBACKS
- // via megamorphic stubs, since they don't have a map in their
relocation info
- // and so the stubs can't be harvested for the object needed for a map
check.
- if (target()->type() != NORMAL) {
- TRACE_GENERIC_IC("KeyedIC", "non-NORMAL target type");
- return generic_stub;
- }
-
// Determine the list of receiver maps that this call site has seen,
// adding the map that was just encountered.
Handle<Map> receiver_map(receiver->map());
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
