[super IC] Fix a receiver vs lookup start object confusion bug
Bug: chromium:1203122 Change-Id: I80a22bbc1e700cca33e26d6a1cf294a5e9a334eb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2856538 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#74290}
This commit is contained in:
parent
7d5e5f6c62
commit
387c803020
@ -220,8 +220,8 @@ void AccessorAssembler::HandleLoadICHandlerCase(
|
||||
BIND(&call_handler);
|
||||
{
|
||||
exit_point->ReturnCallStub(LoadWithVectorDescriptor{}, CAST(handler),
|
||||
p->context(), p->receiver(), p->name(),
|
||||
p->slot(), p->vector());
|
||||
p->context(), p->lookup_start_object(),
|
||||
p->name(), p->slot(), p->vector());
|
||||
}
|
||||
}
|
||||
|
||||
|
14
src/ic/ic.cc
14
src/ic/ic.cc
@ -835,25 +835,28 @@ Handle<Object> LoadIC::ComputeHandler(LookupIterator* lookup) {
|
||||
Handle<Object> receiver = lookup->GetReceiver();
|
||||
ReadOnlyRoots roots(isolate());
|
||||
|
||||
Handle<Object> lookup_start_object = lookup->lookup_start_object();
|
||||
// `in` cannot be called on strings, and will always return true for string
|
||||
// wrapper length and function prototypes. The latter two cases are given
|
||||
// LoadHandler::LoadNativeDataProperty below.
|
||||
if (!IsAnyHas() && !lookup->IsElement()) {
|
||||
if (receiver->IsString() && *lookup->name() == roots.length_string()) {
|
||||
if (lookup_start_object->IsString() &&
|
||||
*lookup->name() == roots.length_string()) {
|
||||
TRACE_HANDLER_STATS(isolate(), LoadIC_StringLength);
|
||||
return BUILTIN_CODE(isolate(), LoadIC_StringLength);
|
||||
}
|
||||
|
||||
if (receiver->IsStringWrapper() &&
|
||||
if (lookup_start_object->IsStringWrapper() &&
|
||||
*lookup->name() == roots.length_string()) {
|
||||
TRACE_HANDLER_STATS(isolate(), LoadIC_StringWrapperLength);
|
||||
return BUILTIN_CODE(isolate(), LoadIC_StringWrapperLength);
|
||||
}
|
||||
|
||||
// Use specialized code for getting prototype of functions.
|
||||
if (receiver->IsJSFunction() &&
|
||||
if (lookup_start_object->IsJSFunction() &&
|
||||
*lookup->name() == roots.prototype_string() &&
|
||||
!JSFunction::cast(*receiver).PrototypeRequiresRuntimeLookup()) {
|
||||
!JSFunction::cast(*lookup_start_object)
|
||||
.PrototypeRequiresRuntimeLookup()) {
|
||||
TRACE_HANDLER_STATS(isolate(), LoadIC_FunctionPrototypeStub);
|
||||
return BUILTIN_CODE(isolate(), LoadIC_FunctionPrototype);
|
||||
}
|
||||
@ -864,8 +867,7 @@ Handle<Object> LoadIC::ComputeHandler(LookupIterator* lookup) {
|
||||
bool holder_is_lookup_start_object;
|
||||
if (lookup->state() != LookupIterator::JSPROXY) {
|
||||
holder = lookup->GetHolder<JSObject>();
|
||||
holder_is_lookup_start_object =
|
||||
lookup->lookup_start_object().is_identical_to(holder);
|
||||
holder_is_lookup_start_object = lookup_start_object.is_identical_to(holder);
|
||||
}
|
||||
|
||||
switch (lookup->state()) {
|
||||
|
Loading…
Reference in New Issue
Block a user