Don't inline Array functions if receiver map is not extensible.

BUG=405517 LOG=N TEST=mjsunit/regress/regress-crbug-405517.js R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/552333002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23828 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-10 09:22:13 +00:00 · 2014-09-10 09:22:13 +00:00 · d66ed1176f
commit d66ed1176f
parent 99301fc8c5
2 changed files with 22 additions and 3 deletions
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -8227,7 +8227,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
      ElementsKind elements_kind = receiver_map->elements_kind();
      if (!IsFastElementsKind(elements_kind)) return false;
      if (receiver_map->is_observed()) return false;
-      DCHECK(receiver_map->is_extensible());
+      if (!receiver_map->is_extensible()) return false;

      Drop(expr->arguments()->length());
      HValue* result;
@ -8292,7 +8292,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
      if (!IsFastElementsKind(elements_kind)) return false;
      if (receiver_map->is_observed()) return false;
      if (JSArray::IsReadOnlyLengthDescriptor(receiver_map)) return false;
-      DCHECK(receiver_map->is_extensible());
+      if (!receiver_map->is_extensible()) return false;

      // If there may be elements accessors in the prototype chain, the fast
      // inlined version can't be used.
@ -8459,7 +8459,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
      if (!IsFastElementsKind(kind)) return false;
      if (receiver_map->is_observed()) return false;
      if (argument_count != 2) return false;
-      DCHECK(receiver_map->is_extensible());
+      if (!receiver_map->is_extensible()) return false;

      // If there may be elements accessors in the prototype chain, the fast
      // inlined version can't be used.
--- a/test/mjsunit/regress/regress-crbug-412319.js
+++ b/test/mjsunit/regress/regress-crbug-412319.js
@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function __f_6() {
+ var __v_7 = [0];
+ %PreventExtensions(__v_7);
+ for (var __v_6 = -2; __v_6 < 19; __v_6++) __v_7.shift();
+ __f_7(__v_7);
+}
+__f_6();
+__f_6();
+%OptimizeFunctionOnNextCall(__f_6);
+__f_6();
+function __f_7(__v_7) {
+  __v_7.push(Infinity);
+}