[v8-dev] Re: 3.20 branch: Fix HObjectAccess for loads from migrating prototypes (issue 37253003)

[jkummerow]

Reviewers: ulan,

Message:
Committed patchset #1 manually as r17655 (presubmit successful).
Description:
3.20 branch: Fix HObjectAccess for loads from migrating prototypes

BUG=chromium:305309
R=u...@chromium.org

Committed: http://code.google.com/p/v8/source/detail?r=17655

Please review this at https://codereview.chromium.org/37253003/

SVN Base: https://v8.googlecode.com/svn/branches/3.20

Affected files (+19, -12 lines):
  M src/hydrogen.cc
  M src/version.cc
  A + test/mjsunit/regress/regress-crbug-305309.js


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
f9ee50c1bb4c3ac66c8c0edb35325a77cf977b4c..b0c69ff0a11bd3b297d2466f3492f178943b26ef  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -5451,10 +5451,10 @@ HInstruction*  
HOptimizedGraphBuilder::BuildLoadNamedMonomorphic(
   if (lookup.IsField()) {
     Handle<JSObject> prototype(JSObject::cast(map->prototype()));
     Handle<JSObject> holder(lookup.holder());
-    Handle<Map> holder_map(holder->map());
     HCheckMaps* type_check = AddCheckMap(object, map);
     BuildCheckPrototypeMaps(prototype, holder);
     HValue* holder_value = Add<HConstant>(holder);
+    Handle<Map> holder_map(holder->map());
     return BuildLoadNamedField(holder_value,
         HObjectAccess::ForField(holder_map, &lookup, name), type_check);
   }
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index  
2af2e329451ffb40cf49cbaa900f980312ad983d..61089d6f1f45078c05677f8cf6c15e5b82086b83  
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     20
 #define BUILD_NUMBER      17
-#define PATCH_LEVEL       15
+#define PATCH_LEVEL       16
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-305309.js
diff --git a/test/mjsunit/constant-compare-nil-value.js  
b/test/mjsunit/regress/regress-crbug-305309.js
similarity index 80%
copy from test/mjsunit/constant-compare-nil-value.js
copy to test/mjsunit/regress/regress-crbug-305309.js
index  
9f5b2adb063abc0c7920d8dee30edb7ee6eb1ff9..cd89bedc112002b776ff5dc6f6e41571e81b5bc0  
100644
--- a/test/mjsunit/constant-compare-nil-value.js
+++ b/test/mjsunit/regress/regress-crbug-305309.js
@@ -27,16 +27,23 @@

 // Flags: --allow-natives-syntax

-function inlined() {
-    return 1;
+function BadProto() {
+  this.constant_function = function() {};
+  this.one = 1;
+  this.two = 2;
 }
+var b1 = new BadProto();
+var b2 = new BadProto();

-function foo() {
-    if ((inlined() + 0.5) == null) return "null";
-    return "non-null";
-}
+function Ctor() {}
+Ctor.prototype = b1;
+var a = new Ctor();

-assertEquals("non-null", foo());
-assertEquals("non-null", foo());
-%OptimizeFunctionOnNextCall(foo);
-assertEquals("non-null", foo());
+function Two(x) {
+  return x.two;
+}
+assertEquals(2, Two(a));
+assertEquals(2, Two(a));
+b2.constant_function = "no longer constant!";
+%OptimizeFunctionOnNextCall(Two);
+assertEquals(2, Two(a));


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.