Reviewers: Jakob,
Message:
PTAL
Description:
Disallow updates to ic_with_type_info_count with negative values.
[email protected]
Please review this at https://chromiumcodereview.appspot.com/10883064/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/objects-inl.h
Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index
756b40ba23c035e0d86e575260775de266fe8621..7083fbaaf3c687d158c284aa51855a7a7090930d
100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -5241,10 +5241,17 @@ int TypeFeedbackInfo::ic_with_type_info_count() {
void TypeFeedbackInfo::change_ic_with_type_info_count(int delta) {
int value = Smi::cast(READ_FIELD(this, kStorage2Offset))->value();
- int current_count = ICsWithTypeInfoCountField::decode(value);
- value =
- ICsWithTypeInfoCountField::update(value, current_count + delta);
- WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value));
+ int new_count = ICsWithTypeInfoCountField::decode(value) + delta;
+ // We can get negative count here when the type-feedback info is
+ // shared between two code objects. The can only happen when
+ // the debugger made a shallow copy of code object (see Heap::CopyCode).
+ // Since we do not optimize when the debugger is active, we can skip
+ // this counter update.
+ if (new_count >= 0) {
+ new_count &= ICsWithTypeInfoCountField::kMask;
+ value = ICsWithTypeInfoCountField::update(value, new_count);
+ WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value));
+ }
}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
