Fix Hydrogen's BuildStore()

BUG=chromium:417508 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/612423002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24366 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-10-01 13:17:34 +00:00 · 2014-10-01 13:17:34 +00:00 · 1bb52d0da8
commit 1bb52d0da8
parent d6eea5742d
2 changed files with 43 additions and 11 deletions
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -6450,16 +6450,19 @@ void HOptimizedGraphBuilder::BuildStore(Expression* expr,
                                        bool is_uninitialized) {
  if (!prop->key()->IsPropertyName()) {
    // Keyed store.
-    HValue* value = environment()->ExpressionStackAt(0);
-    HValue* key = environment()->ExpressionStackAt(1);
-    HValue* object = environment()->ExpressionStackAt(2);
+    HValue* value = Pop();
+    HValue* key = Pop();
+    HValue* object = Pop();
    bool has_side_effects = false;
-    HandleKeyedElementAccess(object, key, value, expr, ast_id, return_id, STORE,
-                             &has_side_effects);
-    Drop(3);
-    Push(value);
-    Add<HSimulate>(return_id, REMOVABLE_SIMULATE);
-    return ast_context()->ReturnValue(Pop());
+    HValue* result = HandleKeyedElementAccess(
+        object, key, value, expr, ast_id, return_id, STORE, &has_side_effects);
+    if (has_side_effects) {
+      if (!ast_context()->IsEffect()) Push(value);
+      Add<HSimulate>(ast_id, REMOVABLE_SIMULATE);
+      if (!ast_context()->IsEffect()) Drop(1);
+    }
+    if (result == NULL) return;
+    return ast_context()->ReturnValue(value);
  }

  // Named store.
@ -7089,7 +7092,7 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
          store_mode);
    }
    *has_side_effects |= instr->HasObservableSideEffects();
-    return access_type == STORE ? NULL : instr;
+    return access_type == STORE ? val : instr;
  }

  HBasicBlock* join = graph()->CreateBasicBlock();
@ -7142,7 +7145,7 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
  NoObservableSideEffectsScope scope(this);
  FinishExitWithHardDeoptimization("Unknown map in polymorphic element access");
  set_current_block(join);
-  return access_type == STORE ? NULL : Pop();
+  return access_type == STORE ? val : Pop();
 }


--- a/test/mjsunit/regress/regress-crbug-417508.js
+++ b/test/mjsunit/regress/regress-crbug-417508.js
@ -0,0 +1,29 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(x) {
+  var k = "value";
+  return x[k] = 1;
+}
+var obj = {};
+Object.defineProperty(obj, "value", {set: function(x) { throw "nope"; }});
+try { foo(obj); } catch(e) {}
+try { foo(obj); } catch(e) {}
+%OptimizeFunctionOnNextCall(foo);
+try { foo(obj); } catch(e) {}
+
+function bar(x) {
+  var k = "value";
+  return (x[k] = 1) ? "ok" : "nope";
+}
+var obj2 = {};
+Object.defineProperty(obj2, "value",
+    {set: function(x) { throw "nope"; return true; } });
+
+try { bar(obj2); } catch(e) {}
+try { bar(obj2); } catch(e) {}
+%OptimizeFunctionOnNextCall(bar);
+try { bar(obj2); } catch(e) {}