AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Clear invalid field maps in PropertyAccessInfo.

Browse Source 
BUG=363956
TEST=mjsunit/regress/regress-363956
LOG=y
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/239623005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20788 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
bmeurer@chromium.org 2014-04-16 09:48:32 +00:00
parent 0422c426bf
commit 63a477b29b
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/hydrogen.cc
View File

@ -5493,7 +5493,7 @@ bool HOptimizedGraphBuilder::PropertyAccessInfo::IsCompatible(
if (!IsLoad()) return false;
// Throw away type information for merging polymorphic loads.
field_map_ = info->field_map_ = Handle<Map>();
info->field_map_ = Handle<Map>::null();
}
info->GeneralizeRepresentation(r);
return true;
@ -5518,7 +5518,7 @@ bool HOptimizedGraphBuilder::PropertyAccessInfo::LoadResult(Handle<Map> map) {
access_ = HObjectAccess::ForField(map, &lookup_, name_);
// Load field map for heap objects.
if (access_.representation().IsHeapObject()) LoadFieldMap(map);
LoadFieldMap(map);
} else if (lookup_.IsPropertyCallbacks()) {
Handle<Object> callback(lookup_.GetValueFromMap(*map), isolate());
if (!callback->IsAccessorPair()) return false;
@ -5546,9 +5546,13 @@ bool HOptimizedGraphBuilder::PropertyAccessInfo::LoadResult(Handle<Map> map) {
void HOptimizedGraphBuilder::PropertyAccessInfo::LoadFieldMap(Handle<Map> map) {
// Clear any previous field map.
field_map_ = Handle<Map>::null();
// Figure out the field type from the accessor map.
HeapType* field_type = lookup_.GetFieldTypeFromMap(*map);
if (field_type->IsClass()) {
ASSERT(access_.representation().IsHeapObject());
Handle<Map> field_map = field_type->AsClass();
if (field_map->is_stable()) {
field_map_ = field_map;
@ -5604,7 +5608,7 @@ bool HOptimizedGraphBuilder::PropertyAccessInfo::CanAccessMonomorphic() {
access_ = HObjectAccess::ForField(map, &lookup_, name_);
// Load field map for heap objects.
if (access_.representation().IsHeapObject()) LoadFieldMap(transition());
LoadFieldMap(transition());
return true;
}
return false;

12
test/mjsunit/regress/regress-363956.js Normal file
View File

@ -0,0 +1,12 @@
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function Fuu() { this.x = this.x.x; }
Fuu.prototype.x = {x: 1}
new Fuu();
new Fuu();
%OptimizeFunctionOnNextCall(Fuu);
new Fuu();