Version 4.3.61.38 (cherry-pick)
Merged 8c298c79c2eff50b1d3809a5f72ed7d3679c47a4
Move compatible receiver check from CompileHandler to UpdateCaches
BUG=chromium:505374
LOG=N
TBR=hablich@chromium.org
Review URL: https://codereview.chromium.org/1233593002 .
Cr-Commit-Position: refs/branch-heads/4.3@{#43}
Cr-Branched-From: f5c0a23a505616796a628d64f4ffe377d1fc4bcf-refs/heads/4.3.61@{#1}
Cr-Branched-From: 0a7d4f496a554028de0ab5a963c3a004e693b4cb-refs/heads/master@{#27508}
diff --git a/include/v8-version.h b/include/v8-version.h
index dbbb2dc..54efa56 100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 4
#define V8_MINOR_VERSION 3
#define V8_BUILD_NUMBER 61
-#define V8_PATCH_LEVEL 37
+#define V8_PATCH_LEVEL 38
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 0ba80d3..c6d7609 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1111,7 +1111,39 @@
code = slow_stub();
}
} else {
- code = ComputeHandler(lookup);
+ if (lookup->state() == LookupIterator::ACCESSOR) {
+ Handle<Object> accessors = lookup->GetAccessors();
+ Handle<Map> map = receiver_map();
+ if (accessors->IsExecutableAccessorInfo()) {
+ Handle<ExecutableAccessorInfo> info =
+ Handle<ExecutableAccessorInfo>::cast(accessors);
+ if ((v8::ToCData<Address>(info->getter()) != 0) &&
+ !ExecutableAccessorInfo::IsCompatibleReceiverMap(isolate(), info,
+ map)) {
+ TRACE_GENERIC_IC(isolate(), "LoadIC", "incompatible receiver type");
+ code = slow_stub();
+ }
+ } else if (accessors->IsAccessorPair()) {
+ Handle<Object> getter(Handle<AccessorPair>::cast(accessors)->getter(),
+ isolate());
+ Handle<JSObject> holder = lookup->GetHolder<JSObject>();
+ Handle<Object> receiver = lookup->GetReceiver();
+ if (getter->IsJSFunction() && holder->HasFastProperties()) {
+ Handle<JSFunction> function = Handle<JSFunction>::cast(getter);
+ if (receiver->IsJSObject() || function->IsBuiltin() ||
+ !is_sloppy(function->shared()->language_mode())) {
+ CallOptimization call_optimization(function);
+ if (call_optimization.is_simple_api_call() &&
+ !call_optimization.IsCompatibleReceiver(receiver, holder)) {
+ TRACE_GENERIC_IC(isolate(), "LoadIC",
+ "incompatible receiver type");
+ code = slow_stub();
+ }
+ }
+ }
+ }
+ }
+ if (code.is_null()) code = ComputeHandler(lookup);
}
PatchCache(lookup->name(), code);
@@ -1238,6 +1270,8 @@
if (v8::ToCData<Address>(info->getter()) == 0) break;
if (!ExecutableAccessorInfo::IsCompatibleReceiverMap(isolate(), info,
map)) {
+ // This case should be already handled in LoadIC::UpdateCaches.
+ UNREACHABLE();
break;
}
if (!holder->HasFastProperties()) break;
@@ -1258,10 +1292,14 @@
}
CallOptimization call_optimization(function);
NamedLoadHandlerCompiler compiler(isolate(), map, holder, cache_holder);
- if (call_optimization.is_simple_api_call() &&
- call_optimization.IsCompatibleReceiver(receiver, holder)) {
- return compiler.CompileLoadCallback(lookup->name(), call_optimization,
- lookup->GetAccessorIndex());
+ if (call_optimization.is_simple_api_call()) {
+ if (call_optimization.IsCompatibleReceiver(receiver, holder)) {
+ return compiler.CompileLoadCallback(
+ lookup->name(), call_optimization, lookup->GetAccessorIndex());
+ } else {
+ // This case should be already handled in LoadIC::UpdateCaches.
+ UNREACHABLE();
+ }
}
int expected_arguments =
function->shared()->internal_formal_parameter_count();
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index 1411d40..8005f35 100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -21927,3 +21927,42 @@
}
free(buffer);
}
+
+
+TEST(CompatibleReceiverCheckOnCachedICHandler) {
+ v8::Isolate* isolate = CcTest::isolate();
+ v8::HandleScope scope(isolate);
+ v8::Local<v8::FunctionTemplate> parent = FunctionTemplate::New(isolate);
+ v8::Local<v8::Signature> signature = v8::Signature::New(isolate, parent);
+ auto returns_42 =
+ v8::FunctionTemplate::New(isolate, Returns42, Local<Value>(), signature);
+ parent->PrototypeTemplate()->SetAccessorProperty(v8_str("age"), returns_42);
+ v8::Local<v8::FunctionTemplate> child = v8::FunctionTemplate::New(isolate);
+ child->Inherit(parent);
+ LocalContext env;
+ env->Global()->Set(v8_str("Child"), child->GetFunction());
+
+ // Make sure there's a compiled stub for "Child.prototype.age" in the cache.
+ CompileRun(
+ "var real = new Child();\n"
+ "for (var i = 0; i < 3; ++i) {\n"
+ " real.age;\n"
+ "}\n");
+
+ // Check that the cached stub is never used.
+ ExpectInt32(
+ "var fake = Object.create(Child.prototype);\n"
+ "var result = 0;\n"
+ "function test(d) {\n"
+ " if (d == 3) return;\n"
+ " try {\n"
+ " fake.age;\n"
+ " result = 1;\n"
+ " } catch (e) {\n"
+ " }\n"
+ " test(d+1);\n"
+ "}\n"
+ "test(0);\n"
+ "result;\n",
+ 0);
+}
