Fix loading non-configurable non-writable value from a constant with mismatching type feedback

BUG=410209 LOG=n R=jarin@chromium.org Review URL: https://codereview.chromium.org/534093003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23650 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-03 12:13:46 +00:00 · 2014-09-03 12:13:46 +00:00 · 03b0237e1d
commit 03b0237e1d
parent 258ac97bac
3 changed files with 40 additions and 5 deletions
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@ -3491,6 +3491,14 @@ class HConstant FINAL : public HTemplateInstruction<0> {
        zone, context, value, representation));
  }

+  virtual Handle<Map> GetMonomorphicJSObjectMap() OVERRIDE {
+    Handle<Object> object = object_.handle();
+    if (object->IsHeapObject()) {
+      return v8::internal::handle(HeapObject::cast(*object)->map());
+    }
+    return Handle<Map>();
+  }
+
  static HConstant* CreateAndInsertBefore(Zone* zone,
                                          HValue* context,
                                          int32_t value,
@ -5512,7 +5520,7 @@ class HAllocate FINAL : public HTemplateInstruction<2> {
    }
  }

-  virtual Handle<Map> GetMonomorphicJSObjectMap() {
+  virtual Handle<Map> GetMonomorphicJSObjectMap() OVERRIDE {
    return known_initial_map_;
  }

--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -5792,16 +5792,16 @@ HInstruction* HOptimizedGraphBuilder::BuildLoadNamedField(
    PropertyAccessInfo* info,
    HValue* checked_object) {
  // See if this is a load for an immutable property
-  if (checked_object->ActualValue()->IsConstant() && info->IsReadOnly() &&
-      !info->IsConfigurable()) {
+  if (checked_object->ActualValue()->IsConstant()) {
    Handle<Object> object(
        HConstant::cast(checked_object->ActualValue())->handle(isolate()));

    if (object->IsJSObject()) {
      LookupIterator it(object, info->name(), LookupIterator::OWN_PROPERTY);
      Handle<Object> value = JSObject::GetDataProperty(&it);
-      CHECK(it.IsFound());
-      return New<HConstant>(value);
+      if (it.IsFound() && it.IsReadOnly() && !it.IsConfigurable()) {
+        return New<HConstant>(value);
+      }
    }
  }

--- a/test/mjsunit/regress/regress-inline-constant-load.js
+++ b/test/mjsunit/regress/regress-inline-constant-load.js
@ -0,0 +1,27 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var o1 = {};
+var o2 = {};
+
+function foo(x) {
+  return x.bar;
+}
+
+Object.defineProperty(o1, "bar", {value:200});
+foo(o1);
+foo(o1);
+
+function f(b) {
+  var o = o2;
+  if (b) { return foo(o) }
+}
+
+f(false);
+%OptimizeFunctionOnNextCall(f);
+assertEquals(undefined, f(false));
+Object.defineProperty(o2, "bar", {value: 100});
+assertEquals(100, f(true));