[turbofan] Fix another bug in InferHasInPrototypeChain

Bug: v8:9087 Change-Id: Ia806686b47f0e6ddc89f6b043df65ab8a931bbf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552798 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#60644}
2019-04-05 11:36:22 +02:00 · 2019-04-05 11:36:22 +02:00 · 31af63a49b
commit 31af63a49b
parent 1fb26d837f
1 changed files with 7 additions and 1 deletions
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@ -569,7 +569,13 @@ JSNativeContextSpecialization::InferHasInPrototypeChain(
  {
    base::Optional<JSObjectRef> last_prototype;
    if (all) {
-      // We don't need to protect the full chain if we found the prototype.
+      // We don't need to protect the full chain if we found the prototype, we
+      // can stop at {prototype}.  In fact we could stop at the one before
+      // {prototype} but since we're dealing with multiple receiver maps this
+      // might be a different object each time, so it's much simpler to include
+      // {prototype}. That does, however, mean that we must check {prototype}'s
+      // map stability.
+      if (!prototype->map()->is_stable()) return kMayBeInPrototypeChain;
      last_prototype.emplace(broker(), Handle<JSObject>::cast(prototype));
    }
    WhereToStart start = result == NodeProperties::kUnreliableReceiverMaps