AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Properly handle non-JSFunction constructors in CanRetainOtherContext

Browse Source 
BUG=

Review URL: https://codereview.chromium.org/1017263003

Cr-Commit-Position: refs/heads/master@{#27379}
This commit is contained in:
verwaest 2015-03-23 12:24:44 -07:00 committed by Commit bot
parent 11fb202f96
commit 1b16678f25
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/type-info.cc
View File

@ -438,6 +438,9 @@ bool TypeFeedbackOracle::CanRetainOtherContext(Map* map,
} }
constructor = map->GetConstructor(); constructor = map->GetConstructor();
if (constructor->IsNull()) return false; if (constructor->IsNull()) return false;
// If the constructor is not null or a JSFunction, we have to conservatively
// assume that it may retain a native context.
if (!constructor->IsJSFunction()) return true;
JSFunction* function = JSFunction::cast(constructor); JSFunction* function = JSFunction::cast(constructor);
return CanRetainOtherContext(function, native_context); return CanRetainOtherContext(function, native_context);
} }

14
test/mjsunit/regress/regress-filter-contexts.js Normal file
View File

@ -0,0 +1,14 @@
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() { return f.x; }
f.__proto__ = null;
f.prototype = "";
f();
f();
%OptimizeFunctionOnNextCall(f);
f();