Disable merging simulates across captured objects.

BUG=chromium:416730 LOG=N R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/607453002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24225 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-25 12:16:32 +00:00 · 2014-09-25 12:16:32 +00:00 · b11c925142
commit b11c925142
parent 3857757f96
2 changed files with 31 additions and 0 deletions
--- a/src/hydrogen-removable-simulates.cc
+++ b/src/hydrogen-removable-simulates.cc
@ -53,6 +53,13 @@ class State : public ZoneObject {
      FlushSimulates();
      return this;
    }
+    if (instr->IsCapturedObject()) {
+      // Do not merge simulates across captured objects - captured objects
+      // change environments during environment replay, and such changes
+      // would not be reflected in the simulate.
+      FlushSimulates();
+      return this;
+    }
    // Skip the non-simulates and the first simulate.
    if (!instr->IsSimulate()) return this;
    if (first_) {
--- a/test/mjsunit/regress/regress-416730.js
+++ b/test/mjsunit/regress/regress-416730.js
@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var d = {x: undefined, y: undefined};
+
+function Crash(left, right) {
+  var c = {
+    x: right.x - left.x,
+    y: right.y - left.y
+  };
+  return c.x * c.y;
+}
+
+var a = {x: 0.5, y: 0};
+var b = {x: 1, y: 0};
+
+for (var i = 0; i < 3; i++) Crash(a, b);
+%OptimizeFunctionOnNextCall(Crash);
+Crash(a, b);
+
+Crash({x: 0, y: 0.5}, b);