Fix for v8:4380 introduced a regression in Octane crypto.

Narrowed the scope of the fix, to make a best effort to avoid DEOPT in case the hole is loaded, but not to permute the choice of a consolidated load in case that effort fails. BUG=chromium:530005 LOG=N Review URL: https://codereview.chromium.org/1330233004 Cr-Commit-Position: refs/heads/master@{#30677}
2015-09-10 04:38:07 -07:00 · 2015-09-10 04:38:07 -07:00 · ebd16fd89d
commit ebd16fd89d
parent aacaafd00b
1 changed files with 20 additions and 21 deletions
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -7452,37 +7452,36 @@ HInstruction* HOptimizedGraphBuilder::TryBuildConsolidatedElementLoad(
      : most_general_consolidated_map->elements_kind();
  LoadKeyedHoleMode load_mode = NEVER_RETURN_HOLE;
  if (has_seen_holey_elements) {
-    if (!isolate()->IsFastArrayConstructorPrototypeChainIntact()) {
-      return NULL;
-    }
-
    // Make sure that all of the maps we are handling have the initial array
    // prototype.
+    bool saw_non_array_prototype = false;
    for (int i = 0; i < maps->length(); ++i) {
      Handle<Map> map = maps->at(i);
      if (map->prototype() != *isolate()->initial_array_prototype()) {
        // We can't guarantee that loading the hole is safe. The prototype may
        // have an element at this position.
-        return NULL;
+        saw_non_array_prototype = true;
+        break;
      }
    }

-    Handle<Map> holey_map =
-        handle(isolate()->get_initial_js_array_map(consolidated_elements_kind));
-    load_mode = BuildKeyedHoleMode(holey_map);
-    if (load_mode == NEVER_RETURN_HOLE) {
-      return NULL;
-    }
-
-    for (int i = 0; i < maps->length(); ++i) {
-      Handle<Map> map = maps->at(i);
-      // The prototype check was already done for the holey map in
-      // BuildKeyedHoleMode.
-      if (!map.is_identical_to(holey_map)) {
-        Handle<JSObject> prototype(JSObject::cast(map->prototype()), isolate());
-        Handle<JSObject> object_prototype =
-            isolate()->initial_object_prototype();
-        BuildCheckPrototypeMaps(prototype, object_prototype);
+    if (!saw_non_array_prototype) {
+      Handle<Map> holey_map = handle(
+          isolate()->get_initial_js_array_map(consolidated_elements_kind));
+      load_mode = BuildKeyedHoleMode(holey_map);
+      if (load_mode != NEVER_RETURN_HOLE) {
+        for (int i = 0; i < maps->length(); ++i) {
+          Handle<Map> map = maps->at(i);
+          // The prototype check was already done for the holey map in
+          // BuildKeyedHoleMode.
+          if (!map.is_identical_to(holey_map)) {
+            Handle<JSObject> prototype(JSObject::cast(map->prototype()),
+                                       isolate());
+            Handle<JSObject> object_prototype =
+                isolate()->initial_object_prototype();
+            BuildCheckPrototypeMaps(prototype, object_prototype);
+          }
+        }
      }
    }
  }