Reviewers: Jakob,

Description:
Merged r12088 into 3.8 branch.

Fix ICs for slow objects with native accessor.

[email protected]
BUG=chromium:137002
TEST=test/test-api/Regress137002[a,b]


Please review this at https://chromiumcodereview.appspot.com/10816002/

SVN Base: https://v8.googlecode.com/svn/branches/3.8

Affected files:
  M src/ic.cc
  M src/version.cc
  M test/cctest/test-api.cc


Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index b084109a713aa572bb79acdfb7f1155d8a9ba9f8..d5ad006d3bf7f367b1957f9d27f06760b8263f39 100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -938,6 +938,7 @@ void LoadIC::UpdateCaches(LookupResult* lookup,
         Handle<AccessorInfo> callback =
             Handle<AccessorInfo>::cast(callback_object);
         if (v8::ToCData<Address>(callback->getter()) == 0) return;
+        if (!receiver->HasFastProperties()) return;
         code = isolate()->stub_cache()->ComputeLoadCallback(
             name, receiver, holder, callback);
         break;
@@ -1174,6 +1175,7 @@ void KeyedLoadIC::UpdateCaches(LookupResult* lookup,
         Handle<AccessorInfo> callback =
             Handle<AccessorInfo>::cast(callback_object);
         if (v8::ToCData<Address>(callback->getter()) == 0) return;
+        if (!receiver->HasFastProperties()) return;
         code = isolate()->stub_cache()->ComputeKeyedLoadCallback(
             name, receiver, holder, callback);
         break;
@@ -1388,6 +1390,7 @@ void StoreIC::UpdateCaches(LookupResult* lookup,
       Handle<AccessorInfo> callback =
           Handle<AccessorInfo>::cast(callback_object);
       if (v8::ToCData<Address>(callback->setter()) == 0) return;
+      if (!receiver->HasFastProperties()) return;
       code = isolate()->stub_cache()->ComputeStoreCallback(
           name, receiver, callback, strict_mode);
       break;
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index 99491ebf06260f0bfc65db975ae641c4875e5e6a..f40cfd825b73b7a879e9d8bece44eaa44be89729 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     8
 #define BUILD_NUMBER      9
-#define PATCH_LEVEL       24
+#define PATCH_LEVEL       25
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index 59d6d19462f357d96b27f9fb1515161d17d6bd57..c10a7eede71dc18e438a819d7aa13f9f8f3bef0d 100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -15948,3 +15948,46 @@ TEST(CallCompletedCallbackTwoExceptions) {
   v8::V8::AddCallCompletedCallback(CallCompletedCallbackException);
   CompileRun("throw 'first exception';");
 }
+
+
+THREADED_TEST(Regress137002a) {
+  i::FLAG_allow_natives_syntax = true;
+  v8::HandleScope scope;
+  LocalContext context;
+  Local<ObjectTemplate> templ = ObjectTemplate::New();
+  templ->SetAccessor(v8_str("foo"),
+                     GetterWhichReturns42,
+                     SetterWhichSetsYOnThisTo23);
+  context->Global()->Set(v8_str("obj"), templ->NewInstance());
+
+  // Turn monomorphic on slow object with native accessor, then turn
+  // polymorphic, finally optimize to create negative lookup and fail.
+  CompileRun("function f(x) { return x.foo; }"
+             "%OptimizeObjectForAddingMultipleProperties(obj, 1);"
+             "obj.__proto__ = null;"
+             "f(obj); f(obj); f({});"
+             "%OptimizeFunctionOnNextCall(f);"
+             "var result = f(obj);");
+  CHECK_EQ(42, context->Global()->Get(v8_str("result"))->Int32Value());
+}
+
+
+THREADED_TEST(Regress137002b) {
+  i::FLAG_allow_natives_syntax = true;
+  v8::HandleScope scope;
+  LocalContext context;
+  Local<ObjectTemplate> templ = ObjectTemplate::New();
+  templ->SetAccessor(v8_str("foo"),
+                     GetterWhichReturns42,
+                     SetterWhichSetsYOnThisTo23);
+  context->Global()->Set(v8_str("obj"), templ->NewInstance());
+
+  // Turn monomorphic on slow object with native accessor, then just
+  // delete the property and fail.
+  CompileRun("function f(x) { return x.foo; }"
+             "%OptimizeObjectForAddingMultipleProperties(obj, 1);"
+             "obj.__proto__ = null;"
+             "f(obj); f(obj); delete obj.foo;"
+             "var result = f(obj);");
+  CHECK(context->Global()->Get(v8_str("result"))->IsUndefined());
+}


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to