[v8-dev] Merge r19847 and r19893 to 3.23 branch. (issue 196413031)

Wed, 19 Mar 2014 04:20:08 -0700 

Reviewers: Toon Verwaest,

Description:
Merge r19847 and r19893 to 3.23 branch.

[email protected]
BUG=350884
LOG=N

Please review this at https://codereview.chromium.org/196413031/

SVN Base: https://v8.googlecode.com/svn/branches/3.23

Affected files (+19, -3 lines):
  M src/ic.cc
  M src/version.cc
  A test/mjsunit/regress/regress-350884.js


Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index fc1ca53290e87b3d1028add40440a03e235a1d18..cd508707e7f343bebca232c46111eb85274d9c3f 100644 
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1746,14 +1746,15 @@ Handle<Code> KeyedStoreIC::StoreElementStub(Handle<JSObject> receiver, 
       transitioned_receiver_map =
           ComputeTransitionedMap(receiver, store_mode);
     }
- if (IsTransitionOfMonomorphicTarget(MapToType(transitioned_receiver_map))) { 
+    if (receiver_map.is_identical_to(previous_receiver_map) ||
+ IsTransitionOfMonomorphicTarget(MapToType(transitioned_receiver_map))) { 
       // Element family is the same, use the "worst" case map.
       store_mode = GetNonTransitioningStoreMode(store_mode);
       return isolate()->stub_cache()->ComputeKeyedStoreElement(
           transitioned_receiver_map, strict_mode(), store_mode);
     } else if (*previous_receiver_map == receiver->map() &&
                old_store_mode == STANDARD_STORE &&
-               (IsGrowStoreMode(store_mode) ||
+               (store_mode == STORE_AND_GROW_NO_TRANSITION ||
                 store_mode == STORE_NO_TRANSITION_IGNORE_OUT_OF_BOUNDS ||
                 store_mode == STORE_NO_TRANSITION_HANDLE_COW)) {
       // A "normal" IC that handles stores can switch to a version that can
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index b6cf931567b2993645df528e970cb9b52d3fabf4..2643ae7779f935b0d22094c7b5048467e29316ce 100644 
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     23
 #define BUILD_NUMBER      17
-#define PATCH_LEVEL       26
+#define PATCH_LEVEL       27
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-350884.js
diff --git a/test/mjsunit/regress/regress-350884.js b/test/mjsunit/regress/regress-350884.js 
new file mode 100644
index 0000000000000000000000000000000000000000..86568534ee705e0adfb945912dde5e1487b192a7 
--- /dev/null
+++ b/test/mjsunit/regress/regress-350884.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var obj = new Array(1);
+obj[0] = 0;
+obj[1] = 0;
+function foo(flag_index) {
+  obj[flag_index]++;
+}
+
+// Force dictionary properties on obj.
+obj[-8] = 3;
+foo(1);
+foo(2);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to