Reviewers: danno,
Message:
PTAL. This is the 3.21 (pre-refactoring) version of
https://codereview.chromium.org/35173005/.
Description:
3.21 branch: Fix HObjectAccess for loads from migrating prototypes
BUG=chromium:305309
Please review this at https://codereview.chromium.org/37323002/
SVN Base: https://v8.googlecode.com/svn/branches/3.21
Affected files (+19, -19 lines):
M src/hydrogen.cc
M src/version.cc
A + test/mjsunit/regress/regress-crbug-305309.js
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
15ef5ed0b65bbc54aa412505581c71bcd528dc3d..a4e76b140c718d68fc100c1b5d27ce1ccef79ecf
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -5406,9 +5406,9 @@ HInstruction*
HOptimizedGraphBuilder::BuildLoadNamedMonomorphic(
if (lookup.IsField()) {
Handle<JSObject> prototype(JSObject::cast(map->prototype()));
Handle<JSObject> holder(lookup.holder());
- Handle<Map> holder_map(holder->map());
AddCheckMap(object, map);
HValue* checked_holder = BuildCheckPrototypeMaps(prototype, holder);
+ Handle<Map> holder_map(holder->map());
return BuildLoadNamedField(
checked_holder, HObjectAccess::ForField(holder_map, &lookup,
name));
}
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
a65b54f674c7195b03f611f75ec6041b66de0b12..8c7621c6c7ada10e414ecf0d34a656d63d5a7fdb
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 21
#define BUILD_NUMBER 18
-#define PATCH_LEVEL 3
+#define PATCH_LEVEL 4
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-305309.js
diff --git a/test/mjsunit/elide-double-hole-check-9.js
b/test/mjsunit/regress/regress-crbug-305309.js
similarity index 80%
copy from test/mjsunit/elide-double-hole-check-9.js
copy to test/mjsunit/regress/regress-crbug-305309.js
index
88bbc7eaaa2955cf726fda76fca080e8663b1a96..cd89bedc112002b776ff5dc6f6e41571e81b5bc0
100644
--- a/test/mjsunit/elide-double-hole-check-9.js
+++ b/test/mjsunit/regress/regress-crbug-305309.js
@@ -27,23 +27,23 @@
// Flags: --allow-natives-syntax
-var do_set = false;
-
-%NeverOptimizeFunction(set_proto_elements);
-function set_proto_elements() {
- if (do_set) Array.prototype[1] = 1.5;
-}
-
-function f(a, i) {
- set_proto_elements();
- return a[i] + 0.5;
+function BadProto() {
+ this.constant_function = function() {};
+ this.one = 1;
+ this.two = 2;
}
+var b1 = new BadProto();
+var b2 = new BadProto();
-var arr = [0.0,,2.5];
-assertEquals(0.5, f(arr, 0));
-assertEquals(0.5, f(arr, 0));
-%OptimizeFunctionOnNextCall(f);
-assertEquals(0.5, f(arr, 0));
-do_set = true;
-assertEquals(2, f(arr, 1));
+function Ctor() {}
+Ctor.prototype = b1;
+var a = new Ctor();
+function Two(x) {
+ return x.two;
+}
+assertEquals(2, Two(a));
+assertEquals(2, Two(a));
+b2.constant_function = "no longer constant!";
+%OptimizeFunctionOnNextCall(Two);
+assertEquals(2, Two(a));
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
