Reviewers: Toon Verwaest,
Message:
As discussed.
Description:
Proper fix for the issue exposed by r17459
This reverts r17462 and instead fixes StubCache::ComputeLoadNonexistent by
replacing s/IsGlobalObject/IsJSGlobalObject/ there.
Please review this at https://codereview.chromium.org/59103005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+9, -13 lines):
M src/ic.cc
M src/stub-cache.cc
Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index
11cd7ecd705385d9e37ca8783ed602f48ca47cc7..55d7ba936fb3068d105d2af10673aa31b4d1896c
100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -370,18 +370,6 @@ void IC::TryRemoveInvalidHandlers(Handle<Map> map,
Handle<String> name) {
void IC::UpdateState(Handle<Object> receiver, Handle<Object> name) {
if (!name->IsString()) return;
-
- // The builtins object is special. It only changes when JavaScript
- // builtins are loaded lazily. It is important to keep inline
- // caches for the builtins object monomorphic. Therefore, if we get
- // an inline cache miss for the builtins object after lazily loading
- // JavaScript builtins, we return uninitialized as the state to
- // force the inline cache back to monomorphic state.
- if (receiver->IsJSBuiltinsObject()) {
- state_ = UNINITIALIZED;
- return;
- }
-
if (state() != MONOMORPHIC) {
if (state() == POLYMORPHIC && receiver->IsHeapObject()) {
TryRemoveInvalidHandlers(
@@ -399,6 +387,14 @@ void IC::UpdateState(Handle<Object> receiver,
Handle<Object> name) {
receiver, Handle<String>::cast(name))) {
return MarkMonomorphicPrototypeFailure();
}
+
+ // The builtins object is special. It only changes when JavaScript
+ // builtins are loaded lazily. It is important to keep inline
+ // caches for the builtins object monomorphic. Therefore, if we get
+ // an inline cache miss for the builtins object after lazily loading
+ // JavaScript builtins, we return uninitialized as the state to
+ // force the inline cache back to monomorphic state.
+ if (receiver->IsJSBuiltinsObject()) state_ = UNINITIALIZED;
}
Index: src/stub-cache.cc
diff --git a/src/stub-cache.cc b/src/stub-cache.cc
index
751798d80365bc859a18a2782fd5e67ddbf8e88f..f53b980440f37d64e4e164df1facd2fddb02c45c
100644
--- a/src/stub-cache.cc
+++ b/src/stub-cache.cc
@@ -181,7 +181,7 @@ Handle<Code>
StubCache::ComputeLoadNonexistent(Handle<Name> name,
do {
current = Handle<JSObject>::cast(next);
next = Handle<Object>(current->GetPrototype(), isolate_);
- if (current->IsGlobalObject()) {
+ if (current->IsJSGlobalObject()) {
global = Handle<GlobalObject>::cast(current);
cache_name = name;
} else if (!current->HasFastProperties()) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
