Reviewers: Jakob,

Description:
Merged r12088 into 3.10 branch.

Fix ICs for slow objects with native accessor.

[email protected]
BUG=chromium:137002
TEST=test/test-api/Regress137002[a,b]


Please review this at https://chromiumcodereview.appspot.com/10796059/

SVN Base: https://v8.googlecode.com/svn/branches/3.10

Affected files:
  M src/ic.cc
  M src/version.cc
  M test/cctest/test-api.cc


Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index 643fa884139fa1d041d94d7d7092feb748a508d9..33d93614cf9a121ceb879b627fd136e059a610d4 100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -983,6 +983,7 @@ void LoadIC::UpdateCaches(LookupResult* lookup,
         Handle<AccessorInfo> callback =
             Handle<AccessorInfo>::cast(callback_object);
         if (v8::ToCData<Address>(callback->getter()) == 0) return;
+        if (!receiver->HasFastProperties()) return;
         code = isolate()->stub_cache()->ComputeLoadCallback(
             name, receiver, holder, callback);
         break;
@@ -1246,6 +1247,7 @@ void KeyedLoadIC::UpdateCaches(LookupResult* lookup,
         Handle<AccessorInfo> callback =
             Handle<AccessorInfo>::cast(callback_object);
         if (v8::ToCData<Address>(callback->getter()) == 0) return;
+        if (!receiver->HasFastProperties()) return;
         code = isolate()->stub_cache()->ComputeKeyedLoadCallback(
             name, receiver, holder, callback);
         break;
@@ -1460,6 +1462,7 @@ void StoreIC::UpdateCaches(LookupResult* lookup,
       Handle<AccessorInfo> callback =
           Handle<AccessorInfo>::cast(callback_object);
       if (v8::ToCData<Address>(callback->setter()) == 0) return;
+      if (!receiver->HasFastProperties()) return;
       code = isolate()->stub_cache()->ComputeStoreCallback(
           name, receiver, callback, strict_mode);
       break;
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index a98524f78c631f938e5849939efb2dc400814b2e..c062beb80d80fdf965cf456da3ebc5cc2c3cdca8 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     10
 #define BUILD_NUMBER      8
-#define PATCH_LEVEL       22
+#define PATCH_LEVEL       23
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index 8a1e9147369fbde7d20e996c91e45089c0545e67..1a0ad83b0027fe3406d85d353346959b0dcdb9cf 100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -16593,3 +16593,46 @@ TEST(StringEmpty) {
   CHECK(v8::String::Empty(isolate).IsEmpty());
   CHECK_EQ(3, fatal_error_callback_counter);
 }
+
+
+THREADED_TEST(Regress137002a) {
+  i::FLAG_allow_natives_syntax = true;
+  v8::HandleScope scope;
+  LocalContext context;
+  Local<ObjectTemplate> templ = ObjectTemplate::New();
+  templ->SetAccessor(v8_str("foo"),
+                     GetterWhichReturns42,
+                     SetterWhichSetsYOnThisTo23);
+  context->Global()->Set(v8_str("obj"), templ->NewInstance());
+
+  // Turn monomorphic on slow object with native accessor, then turn
+  // polymorphic, finally optimize to create negative lookup and fail.
+  CompileRun("function f(x) { return x.foo; }"
+             "%OptimizeObjectForAddingMultipleProperties(obj, 1);"
+             "obj.__proto__ = null;"
+             "f(obj); f(obj); f({});"
+             "%OptimizeFunctionOnNextCall(f);"
+             "var result = f(obj);");
+  CHECK_EQ(42, context->Global()->Get(v8_str("result"))->Int32Value());
+}
+
+
+THREADED_TEST(Regress137002b) {
+  i::FLAG_allow_natives_syntax = true;
+  v8::HandleScope scope;
+  LocalContext context;
+  Local<ObjectTemplate> templ = ObjectTemplate::New();
+  templ->SetAccessor(v8_str("foo"),
+                     GetterWhichReturns42,
+                     SetterWhichSetsYOnThisTo23);
+  context->Global()->Set(v8_str("obj"), templ->NewInstance());
+
+  // Turn monomorphic on slow object with native accessor, then just
+  // delete the property and fail.
+  CompileRun("function f(x) { return x.foo; }"
+             "%OptimizeObjectForAddingMultipleProperties(obj, 1);"
+             "obj.__proto__ = null;"
+             "f(obj); f(obj); delete obj.foo;"
+             "var result = f(obj);");
+  CHECK(context->Global()->Get(v8_str("result"))->IsUndefined());
+}


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to