Reviewers: Benedikt Meurer, Toon Verwaest,
Description:
Add missing map check to optimized f.apply(...)
This is a cutdown version of https://codereview.chromium.org/346473002/,
which
aimed to fix f.call and f.apply. Optimized f.call was removed by r21887,
this is
what was left.
BUG=386034
LOG=N
Please review this at https://codereview.chromium.org/348623002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+13, -8 lines):
M src/hydrogen.cc
A + test/mjsunit/regress/regress-386034.js
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
8be2c6717e2e53107a498adf5a263a11a4275377..6e5ea741bdd0524973f41d487a780d4b0c5c68a8
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8563,10 +8563,12 @@ bool HOptimizedGraphBuilder::TryCallApply(Call*
expr) {
HValue* function = Pop(); // f
Drop(1); // apply
+ HValue* checked_function = AddCheckMap(function, function_map);
+
if (function_state()->outer() == NULL) {
HInstruction* elements = Add<HArgumentsElements>(false);
HInstruction* length = Add<HArgumentsLength>(elements);
- HValue* wrapped_receiver = BuildWrapReceiver(receiver, function);
+ HValue* wrapped_receiver = BuildWrapReceiver(receiver,
checked_function);
HInstruction* result = New<HApplyArguments>(function,
wrapped_receiver,
length,
@@ -8582,7 +8584,7 @@ bool HOptimizedGraphBuilder::TryCallApply(Call* expr)
{
const ZoneList<HValue*>* arguments_values = args->arguments_values();
int arguments_count = arguments_values->length();
Push(function);
- Push(BuildWrapReceiver(receiver, function));
+ Push(BuildWrapReceiver(receiver, checked_function));
for (int i = 1; i < arguments_count; i++) {
Push(arguments_values->at(i));
}
Index: test/mjsunit/regress/regress-386034.js
diff --git a/test/mjsunit/regress/regress-385054.js
b/test/mjsunit/regress/regress-386034.js
similarity index 61%
copy from test/mjsunit/regress/regress-385054.js
copy to test/mjsunit/regress/regress-386034.js
index
115bca0d21989e2a82325aeb66d8c06aa5ab198c..d770ce91bd64ad6e1307b1b699948b2513359efc
100644
--- a/test/mjsunit/regress/regress-385054.js
+++ b/test/mjsunit/regress/regress-386034.js
@@ -5,12 +5,15 @@
// Flags: --allow-natives-syntax
function f(x) {
- var a = [1, 2];
- a[x];
- return a[0 - x];
+ var v = x;
+ for (i = 0; i < 1; i++) {
+ v.apply(this, arguments);
+ }
}
-f(0);
-f(0);
+function g() {}
+
+f(g);
+f(g);
%OptimizeFunctionOnNextCall(f);
-assertEquals(undefined, f(1));
+assertThrows(function() { f('----'); }, TypeError);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
