AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Guard call to ProcessReceiverMapForApiCall

Browse Source 
Subsequently LookupHolderOfExpectedType should be called only
when we have installed handler code.

Bug: chromium:1024936, v8:7790
Change-Id: I33a0a7232afaba8455a0cec1fdc56251947419d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1930905
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65148}
This commit is contained in:
Maya Lekova 2019-11-25 14:35:27 +01:00 committed by Commit Bot
parent 84b3532463
commit 3d0f645f2d
2 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/compiler/serializer-for-background-compilation.cc
View File

@ -2212,7 +2212,7 @@ void SerializerForBackgroundCompilation::ProcessReceiverMapForApiCall(
FunctionTemplateInfoRef target, Handle<Map> receiver) {
if (!receiver->is_access_check_needed()) {
MapRef receiver_map(broker(), receiver);
TRACE_BROKER(broker(), "Serializing holder for target:" << target);
TRACE_BROKER(broker(), "Serializing holder for target: " << target);
target.LookupHolderOfExpectedType(receiver_map,
SerializationPolicy::kSerializeIfNeeded);
}
@ -2896,8 +2896,10 @@ SerializerForBackgroundCompilation::ProcessMapForNamedPropertyAccess(
if (sfi->IsApiFunction()) {
FunctionTemplateInfoRef fti_ref(
broker(), handle(sfi->get_api_func_data(), broker()->isolate()));
if (fti_ref.has_call_code()) fti_ref.SerializeCallCode();
ProcessReceiverMapForApiCall(fti_ref, receiver_map.object());
if (fti_ref.has_call_code()) {
fti_ref.SerializeCallCode();
ProcessReceiverMapForApiCall(fti_ref, receiver_map.object());
}
}
} else if (access_info.constant()->IsJSBoundFunction()) {
JSBoundFunctionRef function(broker(), access_info.constant());

17
test/mjsunit/compiler/regress-1024936.js Normal file
View File

@ -0,0 +1,17 @@
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Object.defineProperty(Number.prototype, "v", { get: constructor });
function get_v(num) {
return num.v;
}
let n = new Number(42);
%PrepareFunctionForOptimization(get_v);
get_v(n);
get_v(n);
%OptimizeFunctionOnNextCall(get_v);
get_v(n);