From a039ff2930cbe6881360925e4debc959c7db392a Mon Sep 17 00:00:00 2001
From: mlippautz <mlippautz@chromium.org>
Date: Fri, 7 Aug 2015 05:54:49 -0700
Subject: [PATCH] [GC] Align behavior of JSProxy with JSObject when embedded in
 optimized code

With --harmony-proxies enabled, embedded pointers in optimized code can point to
a JSProxy (via a cell). Since JSProxy can morph into JSObject we need to align
the expectations of weak vs strong refs.

With this patch we also treat JSPRoxy as weak ref (like JSObject) and therefore
properly record a dependency on it, so that once the cell pointing to it becomes
unreachable we deoptimize the corresponding code.

BUG=v8:4359
LOG=N

Review URL: https://codereview.chromium.org/1270393003

Cr-Commit-Position: refs/heads/master@{#30067}
---
 src/objects-inl.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/objects-inl.h b/src/objects-inl.h
index d8175c7981..21ad84990a 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4735,7 +4735,8 @@ bool Code::IsWeakObjectInOptimizedCode(Object* object) {
   } else if (object->IsPropertyCell()) {
     object = PropertyCell::cast(object)->value();
   }
-  if (object->IsJSObject()) {
+  if (object->IsJSObject() || object->IsJSProxy()) {
+    // JSProxy is handled like JSObject because it can morph into one.
     return FLAG_weak_embedded_objects_in_optimized_code;
   }
   if (object->IsFixedArray()) {