Reviewers: danno,
Message:
Danno: PTAL.
Toon: FYI.
Description:
Fix HObjectAccess for loads from migrating prototypes
BUG=chromium:305309
Please review this at https://codereview.chromium.org/35173005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+20, -17 lines):
M src/hydrogen.cc
A + test/mjsunit/regress/regress-crbug-305309.js
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
218859fc22a20ecca645ee6319ac07ad8c53b55a..832d905a2f0d17114061882ef7ce3a072e8d7a2b
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -4759,6 +4759,9 @@ bool
HOptimizedGraphBuilder::PropertyAccessInfo::LookupInPrototypes() {
Handle<Map> map = map_;
while (map->prototype()->IsJSObject()) {
holder_ = handle(JSObject::cast(map->prototype()));
+ if (holder_->map()->is_deprecated()) {
+ JSObject::TryMigrateInstance(holder_);
+ }
map = Handle<Map>(holder_->map());
if (!CanInlinePropertyAccess(*map)) {
lookup_.NotFound();
Index: test/mjsunit/regress/regress-crbug-305309.js
diff --git a/test/mjsunit/elide-double-hole-check-9.js
b/test/mjsunit/regress/regress-crbug-305309.js
similarity index 80%
copy from test/mjsunit/elide-double-hole-check-9.js
copy to test/mjsunit/regress/regress-crbug-305309.js
index
88bbc7eaaa2955cf726fda76fca080e8663b1a96..cd89bedc112002b776ff5dc6f6e41571e81b5bc0
100644
--- a/test/mjsunit/elide-double-hole-check-9.js
+++ b/test/mjsunit/regress/regress-crbug-305309.js
@@ -27,23 +27,23 @@
// Flags: --allow-natives-syntax
-var do_set = false;
-
-%NeverOptimizeFunction(set_proto_elements);
-function set_proto_elements() {
- if (do_set) Array.prototype[1] = 1.5;
-}
-
-function f(a, i) {
- set_proto_elements();
- return a[i] + 0.5;
+function BadProto() {
+ this.constant_function = function() {};
+ this.one = 1;
+ this.two = 2;
}
+var b1 = new BadProto();
+var b2 = new BadProto();
-var arr = [0.0,,2.5];
-assertEquals(0.5, f(arr, 0));
-assertEquals(0.5, f(arr, 0));
-%OptimizeFunctionOnNextCall(f);
-assertEquals(0.5, f(arr, 0));
-do_set = true;
-assertEquals(2, f(arr, 1));
+function Ctor() {}
+Ctor.prototype = b1;
+var a = new Ctor();
+function Two(x) {
+ return x.two;
+}
+assertEquals(2, Two(a));
+assertEquals(2, Two(a));
+b2.constant_function = "no longer constant!";
+%OptimizeFunctionOnNextCall(Two);
+assertEquals(2, Two(a));
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
