[turbofan] Don't optimize Function#bind in case of custom prototype.

Avoid calling Map::TransitionToPrototype (which reads and writes the JS heap) by skipping the JSCallReducer optimization of Function#bind whenever the receiver has a custom prototype. Bug: v8:7790 Change-Id: Ie21475c5dc5c53d90c6afae8198837deb40dac8e Reviewed-on: https://chromium-review.googlesource.com/c/1288631 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#56840}
2018-10-18 13:18:41 +02:00 · 2018-10-18 13:18:41 +02:00 · 12e0d1f2f9
commit 12e0d1f2f9
parent 2a08adbb6b
1 changed files with 3 additions and 5 deletions
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@ -451,16 +451,14 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
    }
  }

-  // Setup the map for the resulting JSBoundFunction with the
-  // correct instance {prototype}.
+  // Choose the map for the resulting JSBoundFunction (but bail out in case of a
+  // custom prototype).
  Handle<Map> map(
      is_constructor
          ? native_context()->bound_function_with_constructor_map()
          : native_context()->bound_function_without_constructor_map(),
      isolate());
-  if (map->prototype() != *prototype) {
-    map = Map::TransitionToPrototype(isolate(), map, prototype);
-  }
+  if (map->prototype() != *prototype) return NoChange();

  // Make sure we can rely on the {receiver_maps}.
  if (result == NodeProperties::kUnreliableReceiverMaps) {