[turbofan] Only lower constant load if feedback agrees with receiver map.

Bug: chromium:945187 Change-Id: I564a4495f13651ea9fdf1b95c25658b92ff9de49 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1538125 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#60437}
2019-03-25 12:46:37 +01:00 · 2019-03-25 12:46:37 +01:00 · 149b82230e
commit 149b82230e
parent 077e49a196
2 changed files with 24 additions and 0 deletions
--- a/src/compiler/property-access-builder.cc
+++ b/src/compiler/property-access-builder.cc
@ -199,6 +199,15 @@ Node* PropertyAccessBuilder::TryBuildLoadConstantDataField(
  // Optimize immutable property loads.
  HeapObjectMatcher m(receiver);
  if (m.HasValue() && m.Value()->IsJSObject()) {
+    // Make sure the actual map of the receiver is among the maps in
+    // {access_info}.
+    Handle<Map> receiver_map = handle(m.Value()->map(), isolate());
+    if (std::find_if(access_info.receiver_maps().begin(),
+                     access_info.receiver_maps().end(), [&](Handle<Map> map) {
+                       return map.address() == receiver_map.address();
+                     }) == access_info.receiver_maps().end()) {
+      return nullptr;
+    }
    // TODO(ishell): Use something simpler like
    //
    // Handle<Object> value =
--- a/test/mjsunit/compiler/regress-945187.js
+++ b/test/mjsunit/compiler/regress-945187.js
@ -0,0 +1,15 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  const o = { get : Object };
+  Object.defineProperty(Object, 0, o);
+}
+
+f();
+%OptimizeFunctionOnNextCall(f);
+delete Object.fromEntries;
+f();