Revision: 12386 Author: [email protected] Date: Mon Aug 27 08:17:14 2012 Log: Disallow updates to ic_with_type_info_count with negative values.
[email protected] Review URL: https://chromiumcodereview.appspot.com/10883064 http://code.google.com/p/v8/source/detail?r=12386 Modified: /branches/bleeding_edge/src/objects-inl.h ======================================= --- /branches/bleeding_edge/src/objects-inl.h Mon Aug 27 06:47:34 2012 +++ /branches/bleeding_edge/src/objects-inl.h Mon Aug 27 08:17:14 2012 @@ -5241,10 +5241,17 @@ void TypeFeedbackInfo::change_ic_with_type_info_count(int delta) { int value = Smi::cast(READ_FIELD(this, kStorage2Offset))->value(); - int current_count = ICsWithTypeInfoCountField::decode(value); - value = - ICsWithTypeInfoCountField::update(value, current_count + delta); - WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value)); + int new_count = ICsWithTypeInfoCountField::decode(value) + delta; + // We can get negative count here when the type-feedback info is + // shared between two code objects. The can only happen when + // the debugger made a shallow copy of code object (see Heap::CopyCode). + // Since we do not optimize when the debugger is active, we can skip + // this counter update. + if (new_count >= 0) { + new_count &= ICsWithTypeInfoCountField::kMask; + value = ICsWithTypeInfoCountField::update(value, new_count); + WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value)); + } } -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
