From 810e8593003c33c058cee7ad0fcd42c788cb5597 Mon Sep 17 00:00:00 2001
From: Toon Verwaest <verwaest@chromium.org>
Date: Fri, 24 Mar 2017 10:36:42 +0100
Subject: [PATCH] [ic] Make sure we don't use a smi-handler for
 FunctionTemplate getters

BUG=chromium:704110,v8:5561

Change-Id: Ie57bccd2f9da714b179f69c14242bcf056d3065f
Reviewed-on: https://chromium-review.googlesource.com/459476
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44091}
---
 src/counters.h |  2 ++
 src/ic/ic.cc   | 42 ++++++++++++++++++++++++++++++------------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/src/counters.h b/src/counters.h
index 39d97dd018..be4563db60 100644
--- a/src/counters.h
+++ b/src/counters.h
@@ -774,6 +774,8 @@ class RuntimeCallTimer final {
   V(KeyedStoreIC_StoreElementStub)               \
   V(LoadIC_FunctionPrototypeStub)                \
   V(LoadIC_HandlerCacheHit_Accessor)             \
+  V(LoadIC_LoadAccessorDH)                       \
+  V(LoadIC_LoadAccessorFromPrototypeDH)          \
   V(LoadIC_LoadApiGetterDH)                      \
   V(LoadIC_LoadApiGetterFromPrototypeDH)         \
   V(LoadIC_LoadCallback)                         \
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 49a50a8c0e..b554897f77 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1154,28 +1154,46 @@ Handle<Object> LoadIC::GetMapIndependentHandler(LookupIterator* lookup) {
           return slow_stub();
         }
 
+        CallOptimization call_optimization(getter);
+        if (call_optimization.is_simple_api_call()) {
+          if (!call_optimization.IsCompatibleReceiverMap(map, holder) ||
+              !holder->HasFastProperties()) {
+            TRACE_HANDLER_STATS(isolate(), LoadIC_SlowStub);
+            return slow_stub();
+          }
+          break;
+        }
+
+        // FunctionTemplate isn't yet supported as smi-handler.
+        if (getter->IsFunctionTemplateInfo()) {
+          if (!holder->HasFastProperties()) {
+            TRACE_HANDLER_STATS(isolate(), LoadIC_SlowStub);
+            return slow_stub();
+          }
+          break;
+        }
+
         Handle<Smi> smi_handler;
         if (holder->HasFastProperties()) {
-          CallOptimization call_optimization(getter);
-          if (call_optimization.is_simple_api_call()) {
-            if (!call_optimization.IsCompatibleReceiverMap(map, holder)) {
-              return slow_stub();
-            }
-            break;
-          }
           smi_handler =
               LoadHandler::LoadAccessor(isolate(), lookup->GetAccessorIndex());
 
-          if (receiver_is_holder) return smi_handler;
-        } else if (receiver_is_holder && !holder->IsJSGlobalObject()) {
-          TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalDH);
-          return LoadHandler::LoadNormal(isolate());
+          if (receiver_is_holder) {
+            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadAccessorDH);
+            return smi_handler;
+          }
+          TRACE_HANDLER_STATS(isolate(), LoadIC_LoadAccessorFromPrototypeDH);
         } else if (holder->IsJSGlobalObject()) {
           TRACE_HANDLER_STATS(isolate(), LoadIC_LoadGlobalFromPrototypeDH);
           smi_handler = LoadHandler::LoadGlobal(isolate());
         } else {
-          TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalFromPrototypeDH);
           smi_handler = LoadHandler::LoadNormal(isolate());
+
+          if (receiver_is_holder) {
+            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalDH);
+            return smi_handler;
+          }
+          TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalFromPrototypeDH);
         }
 
         return LoadFromPrototype(map, holder, lookup->name(), smi_handler);