Fix IC cache confusion on String.prototype.length

BUG=416416 LOG=N R=jarin@chromium.org Review URL: https://codereview.chromium.org/587363002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24174 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-24 09:33:04 +00:00 · 2014-09-24 09:33:04 +00:00 · b0b59073ac
commit b0b59073ac
parent aeae854827
2 changed files with 22 additions and 1 deletions
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -929,7 +929,14 @@ Handle<Code> IC::ComputeHandler(LookupIterator* lookup, Handle<Object> value) {
  code = CompileHandler(lookup, value, flag);
  DCHECK(code->is_handler());

-  if (code->type() != Code::NORMAL) {
+  // TODO(mvstanton): we'd only like to cache code on the map when it's custom
+  // code compiled for this map, otherwise it's already cached in the global
+  // code
+  // cache. We are also guarding against installing code with flags that don't
+  // match the desired CacheHolderFlag computed above, which would lead to
+  // invalid lookups later.
+  if (code->type() != Code::NORMAL &&
+      Code::ExtractCacheHolderFromFlags(code->flags()) == flag) {
    Map::UpdateCodeCache(stub_holder_map, lookup->name(), code);
  }

--- a/test/mjsunit/regress/regress-416416.js
+++ b/test/mjsunit/regress/regress-416416.js
@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function foo() {
+  try {
+    String.prototype.length.x();
+  } catch (e) {
+  }
+}
+
+foo();
+foo();
+foo();