[turbofan] Fix another bug in InferHasInPrototypeChain
Bug: v8:9087
Change-Id: Ia806686b47f0e6ddc89f6b043df65ab8a931bbf8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552798
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60644}
diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
index 9e40a58..8ff7f86 100644
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -569,7 +569,13 @@
{
base::Optional<JSObjectRef> last_prototype;
if (all) {
- // We don't need to protect the full chain if we found the prototype.
+ // We don't need to protect the full chain if we found the prototype, we
+ // can stop at {prototype}. In fact we could stop at the one before
+ // {prototype} but since we're dealing with multiple receiver maps this
+ // might be a different object each time, so it's much simpler to include
+ // {prototype}. That does, however, mean that we must check {prototype}'s
+ // map stability.
+ if (!prototype->map()->is_stable()) return kMayBeInPrototypeChain;
last_prototype.emplace(broker(), Handle<JSObject>::cast(prototype));
}
WhereToStart start = result == NodeProperties::kUnreliableReceiverMaps