AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[crankshaft] Don't inline array indexOf operations if receiver's proto is not a JSObject.

Browse Source 
BUG=chromium:577112
LOG=N

Review URL: https://codereview.chromium.org/1584303002

Cr-Commit-Position: refs/heads/master@{#33320}
This commit is contained in:
ishell 2016-01-15 02:19:10 -08:00 committed by Commit bot
parent ea5a1ac8b5
commit 1bb7cfda7f
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/crankshaft/hydrogen.cc
View File

@ -9058,6 +9058,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
case kArrayLastIndexOf: {
if (receiver_map.is_null()) return false;
if (receiver_map->instance_type() != JS_ARRAY_TYPE) return false;
if (!receiver_map->prototype()->IsJSObject()) return false;
ElementsKind kind = receiver_map->elements_kind();
if (!IsFastElementsKind(kind)) return false;
if (receiver_map->is_observed()) return false;

15
test/mjsunit/regress/regress-crbug-577112.js Normal file
View File

@ -0,0 +1,15 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Array.prototype.__proto__ = null;
var prototype = Array.prototype;
function f() {
prototype.lastIndexOf({});
}
f();
f();
%OptimizeFunctionOnNextCall(f);
f();