[TurboFan] Fix JSNativeContextSpecialization::InferReceiverMap

Before the fix it checked whether the initial map of the base constructor pointed back to the new target. That's only true if initial_map->new_target_is_base() (new.target == target). Now it properly checks that the initial map of the original constructor (new.target) was created in combination with target by checking back that new.target->initial_map()->constructor() == target. BUG= Review-Url: https://codereview.chromium.org/2621303003 Cr-Commit-Position: refs/heads/master@{#42263}
2017-01-12 03:23:48 -08:00 · 2017-01-12 03:23:48 -08:00 · 2bca05685f
commit 2bca05685f
parent e46893c6c4
1 changed files with 5 additions and 5 deletions
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@ -1835,11 +1835,11 @@ MaybeHandle<Map> JSNativeContextSpecialization::InferReceiverMap(Node* receiver,
    HeapObjectMatcher mtarget(m.InputAt(0));
    HeapObjectMatcher mnewtarget(m.InputAt(1));
    if (mtarget.HasValue() && mnewtarget.HasValue()) {
-      Handle<JSFunction> constructor =
-          Handle<JSFunction>::cast(mtarget.Value());
-      if (constructor->has_initial_map()) {
-        Handle<Map> initial_map(constructor->initial_map(), isolate());
-        if (initial_map->constructor_or_backpointer() == *mnewtarget.Value()) {
+      Handle<JSFunction> original_constructor =
+          Handle<JSFunction>::cast(mnewtarget.Value());
+      if (original_constructor->has_initial_map()) {
+        Handle<Map> initial_map(original_constructor->initial_map(), isolate());
+        if (initial_map->constructor_or_backpointer() == *mtarget.Value()) {
          // Walk up the {effect} chain to see if the {receiver} is the
          // dominating effect and there's no other observable write in
          // between.