Reviewers: Michael Starzinger, Toon Verwaest,
Message:
Simple fix. Toon, I'm adding you as drive-by-validator :).
Thx,
--Michael
Description:
Fix for v8:3255 Grow KeyedStoreIC doesn't respect String value wrappers
BUG=v8:3255
LOG=N
Please review this at https://codereview.chromium.org/226053002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+21, -0 lines):
M src/ic.cc
A test/mjsunit/regress/regress-3255.js
Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index
688908ead2fa6a1546577971c16ae4ae36d0feb8..a2215ed17095fa1091073b05809ef9c282210d83
100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1743,6 +1743,7 @@ MaybeObject* KeyedStoreIC::Store(Handle<Object>
object,
if (maybe_object->IsFailure()) return maybe_object;
} else {
bool use_ic = FLAG_use_ic &&
+ !object->IsStringWrapper() &&
!object->IsAccessCheckNeeded() &&
!object->IsJSGlobalProxy() &&
!(object->IsJSObject() &&
Index: test/mjsunit/regress/regress-3255.js
diff --git a/test/mjsunit/regress/regress-3255.js
b/test/mjsunit/regress/regress-3255.js
new file mode 100644
index
0000000000000000000000000000000000000000..90d632c7baa859ff0f0da26ee4b7b2fbd13f3833
--- /dev/null
+++ b/test/mjsunit/regress/regress-3255.js
@@ -0,0 +1,20 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+var arr = [];
+var str = new String('x');
+
+function f(a,b) {
+ a[b] = 1;
+}
+
+f(arr, 0);
+f(str, 0);
+f(str, 0);
+print(str);
+
+// This is just to trigger elements validation, object already broken.
+%SetProperty(str, 1, 'y', 0);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
