Reviewers: jbramley,
Message:
PTAL
Description:
Fix result of LCodeGen::DoWrapReceiver for strict functions and builtins.
BUG=362128
LOG=Y
TEST=mjsunit/regress/regress-362128
Please review this at https://codereview.chromium.org/226363007/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+43, -3 lines):
M src/arm64/lithium-codegen-arm64.cc
A test/mjsunit/regress/regress-362128.js
Index: src/arm64/lithium-codegen-arm64.cc
diff --git a/src/arm64/lithium-codegen-arm64.cc
b/src/arm64/lithium-codegen-arm64.cc
index
99f3b27d830077f8a431c1e5694108716cbb2f90..b5ca5d462850c00880b3a3519cfe262cc2c299b9
100644
--- a/src/arm64/lithium-codegen-arm64.cc
+++ b/src/arm64/lithium-codegen-arm64.cc
@@ -5822,7 +5822,7 @@ void LCodeGen::DoWrapReceiver(LWrapReceiver* instr) {
// If the receiver is null or undefined, we have to pass the global
object as
// a receiver to normal functions. Values have to be passed unchanged to
// builtins and strict-mode functions.
- Label global_object, done;
+ Label global_object, done, copy_receiver;
if (!instr->hydrogen()->known_function()) {
__ Ldr(result, FieldMemOperand(function,
@@ -5833,10 +5833,10 @@ void LCodeGen::DoWrapReceiver(LWrapReceiver* instr)
{
FieldMemOperand(result,
SharedFunctionInfo::kCompilerHintsOffset));
// Do not transform the receiver to object for strict mode functions.
- __ Tbnz(result, SharedFunctionInfo::kStrictModeFunction, &done);
+ __ Tbnz(result, SharedFunctionInfo::kStrictModeFunction,
©_receiver);
// Do not transform the receiver to object for builtins.
- __ Tbnz(result, SharedFunctionInfo::kNative, &done);
+ __ Tbnz(result, SharedFunctionInfo::kNative, ©_receiver);
}
// Normal function. Replace undefined or null with global receiver.
@@ -5854,7 +5854,10 @@ void LCodeGen::DoWrapReceiver(LWrapReceiver* instr) {
__ Ldr(result, FieldMemOperand(function, JSFunction::kContextOffset));
__ Ldr(result, ContextMemOperand(result, Context::GLOBAL_OBJECT_INDEX));
__ Ldr(result, FieldMemOperand(result,
GlobalObject::kGlobalReceiverOffset));
+ __ B(&done);
+ __ Bind(©_receiver);
+ __ Mov(result, receiver);
__ Bind(&done);
}
Index: test/mjsunit/regress/regress-362128.js
diff --git a/test/mjsunit/regress/regress-362128.js
b/test/mjsunit/regress/regress-362128.js
new file mode 100644
index
0000000000000000000000000000000000000000..18ac5db90761528326eaf2f2f3863b0a41c92fb7
--- /dev/null
+++ b/test/mjsunit/regress/regress-362128.js
@@ -0,0 +1,37 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --allow-natives-syntax
+
+function genM() {
+ "use strict";
+ return function () {
+ return this.field;
+ };
+}
+
+function genR() {
+ var x = {
+ field: 10
+ }
+ return x;
+}
+
+method = {};
+receiver = {};
+
+method = genM("A");
+receiver = genR("A");
+
+var foo = (function () {
+ return function suspect (name) {
+ "use strict";
+ return method.apply(receiver, arguments);
+ }
+})();
+
+foo("a", "b", "c");
+foo("a", "b", "c");
+foo("a", "b", "c");
+%OptimizeFunctionOnNextCall(foo);
+foo("a", "b", "c");
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
