[compiler] Fix a bug in global property access reduction

Bug: chromium:1247763 Change-Id: I6f09d5113ef7e4774032ea586d5a1ada98aa4b1b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3149462 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/main@{#76752}
2021-09-09 14:41:58 +02:00 · 2021-09-09 14:41:58 +02:00 · 6391d7a58d
commit 6391d7a58d
parent 62ed75a1d2
1 changed files with 7 additions and 11 deletions
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@ -804,6 +804,12 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
      return NoChange();
    } else if (property_cell_type == PropertyCellType::kUndefined) {
      return NoChange();
+    } else if (property_cell_type == PropertyCellType::kConstantType) {
+      // We rely on stability further below.
+      if (property_cell_value.IsHeapObject() &&
+          !property_cell_value.AsHeapObject().map().is_stable()) {
+        return NoChange();
+      }
    }
  } else if (access_mode == AccessMode::kHas) {
    DCHECK_EQ(receiver, lookup_start_object);
@ -922,17 +928,7 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
        if (property_cell_value.IsHeapObject()) {
          MapRef property_cell_value_map =
              property_cell_value.AsHeapObject().map();
-          if (property_cell_value_map.is_stable()) {
-            dependencies()->DependOnStableMap(property_cell_value_map);
-          } else {
-            // The value's map is already unstable. If this store were to go
-            // through the C++ runtime, it would transition the PropertyCell to
-            // kMutable. We don't want to change the cell type from generated
-            // code (to simplify concurrent heap access), however, so we keep
-            // it as kConstantType and do the store anyways (if the new value's
-            // map matches). This is safe because it merely prolongs the limbo
-            // state that we are in already.
-          }
+          dependencies()->DependOnStableMap(property_cell_value_map);

          // Check that the {value} is a HeapObject.
          value = effect = graph()->NewNode(simplified()->CheckHeapObject(),