[compiler] Fix a bug in global property access reduction
Bug: chromium:1247763 Change-Id: I6f09d5113ef7e4774032ea586d5a1ada98aa4b1b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3149462 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/main@{#76752}
This commit is contained in:
parent
62ed75a1d2
commit
6391d7a58d
@ -804,6 +804,12 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
|
|||||||
return NoChange();
|
return NoChange();
|
||||||
} else if (property_cell_type == PropertyCellType::kUndefined) {
|
} else if (property_cell_type == PropertyCellType::kUndefined) {
|
||||||
return NoChange();
|
return NoChange();
|
||||||
|
} else if (property_cell_type == PropertyCellType::kConstantType) {
|
||||||
|
// We rely on stability further below.
|
||||||
|
if (property_cell_value.IsHeapObject() &&
|
||||||
|
!property_cell_value.AsHeapObject().map().is_stable()) {
|
||||||
|
return NoChange();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else if (access_mode == AccessMode::kHas) {
|
} else if (access_mode == AccessMode::kHas) {
|
||||||
DCHECK_EQ(receiver, lookup_start_object);
|
DCHECK_EQ(receiver, lookup_start_object);
|
||||||
@ -922,17 +928,7 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
|
|||||||
if (property_cell_value.IsHeapObject()) {
|
if (property_cell_value.IsHeapObject()) {
|
||||||
MapRef property_cell_value_map =
|
MapRef property_cell_value_map =
|
||||||
property_cell_value.AsHeapObject().map();
|
property_cell_value.AsHeapObject().map();
|
||||||
if (property_cell_value_map.is_stable()) {
|
dependencies()->DependOnStableMap(property_cell_value_map);
|
||||||
dependencies()->DependOnStableMap(property_cell_value_map);
|
|
||||||
} else {
|
|
||||||
// The value's map is already unstable. If this store were to go
|
|
||||||
// through the C++ runtime, it would transition the PropertyCell to
|
|
||||||
// kMutable. We don't want to change the cell type from generated
|
|
||||||
// code (to simplify concurrent heap access), however, so we keep
|
|
||||||
// it as kConstantType and do the store anyways (if the new value's
|
|
||||||
// map matches). This is safe because it merely prolongs the limbo
|
|
||||||
// state that we are in already.
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check that the {value} is a HeapObject.
|
// Check that the {value} is a HeapObject.
|
||||||
value = effect = graph()->NewNode(simplified()->CheckHeapObject(),
|
value = effect = graph()->NewNode(simplified()->CheckHeapObject(),
|
||||||
|
Loading…
Reference in New Issue
Block a user