[turbofan] Fix another bug in InferHasInPrototypeChain Bug: v8:9087 Change-Id: Ia806686b47f0e6ddc89f6b043df65ab8a931bbf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552798 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#60644}

commit: 31af63a49ba807c51ca7c2baa481a9d4832a5cb7 [log] [tgz]
author: Georg Neis <neis@chromium.org> Fri Apr 05 09:36:22 2019
committer: Commit Bot <commit-bot@chromium.org> Fri Apr 05 10:10:20 2019
tree: 3533b4b07b9855f821684d0c5f8cb9807b3f9201
parent: 1fb26d837fb9999003d3947b49bc6f107e6ceef4 [diff]
diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
index 9e40a58..8ff7f86 100644
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc

@@ -569,7 +569,13 @@
   {
     base::Optional<JSObjectRef> last_prototype;
     if (all) {
-      // We don't need to protect the full chain if we found the prototype.
+      // We don't need to protect the full chain if we found the prototype, we
+      // can stop at {prototype}.  In fact we could stop at the one before
+      // {prototype} but since we're dealing with multiple receiver maps this
+      // might be a different object each time, so it's much simpler to include
+      // {prototype}. That does, however, mean that we must check {prototype}'s
+      // map stability.
+      if (!prototype->map()->is_stable()) return kMayBeInPrototypeChain;
       last_prototype.emplace(broker(), Handle<JSObject>::cast(prototype));
     }
     WhereToStart start = result == NodeProperties::kUnreliableReceiverMaps
commit	31af63a49ba807c51ca7c2baa481a9d4832a5cb7	[log] [tgz]
author	Georg Neis <neis@chromium.org>	Fri Apr 05 09:36:22 2019
committer	Commit Bot <commit-bot@chromium.org>	Fri Apr 05 10:10:20 2019
tree	3533b4b07b9855f821684d0c5f8cb9807b3f9201
parent	1fb26d837fb9999003d3947b49bc6f107e6ceef4 [diff]