Try to work around http://crbug.com/16276 until we can...

src/ic.cc

 // Copyright 2006-2009 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 20 matching lines @@
 #include "api.h"
 #include "arguments.h"
 #include "execution.h"
 #include "ic-inl.h"
 #include "runtime.h"
 #include "stub-cache.h"
 
 namespace v8 {
 namespace internal {
 
+// Temporary helper for working around http://crbug.com/16276. If we
+// allow 'the hole value' to leak into the IC code, it may lead to
+// crashes, but this should not happen and we should track down the
+// cause of it.
+static inline Handle<Object> UnholeForBug16276(Handle<Object> object) {
+  if (!object->IsTheHole()) return object;
+  ASSERT(false);  // This should not happen.
+  return Factory::undefined_value();
+}
+
+
 #ifdef DEBUG
 static char TransitionMarkFromState(IC::State state) {
   switch (state) {
     case UNINITIALIZED: return '0';
     case PREMONOMORPHIC: return 'P';
     case MONOMORPHIC: return '1';
     case MONOMORPHIC_PROTOTYPE_FAILURE: return '^';
     case MEGAMORPHIC: return 'N';
 
     // We never see the debugger states here, because the state is
@@ skipping 263 matching lines @@
     frame->SetExpression(index, *target);
   }
 
   return *delegate;
 }
 
 
 Object* CallIC::LoadFunction(State state,
                              Handle<Object> object,
                              Handle<String> name) {
+  object = UnholeForBug16276(object);
+
   // If the object is undefined or null it's illegal to try to get any
   // of its properties; throw a TypeError in that case.
   if (object->IsUndefined() || object->IsNull()) {
     return TypeError("non_object_property_call", object, name);
   }
 
-  Object* result = Heap::the_hole_value();
-
   // Check if the name is trivially convertible to an index and get
   // the element if so.
   uint32_t index;
   if (name->AsArrayIndex(&index)) {
-    result = object->GetElement(index);
+    Object* result = object->GetElement(index);
     if (result->IsJSFunction()) return result;
 
     // Try to find a suitable function delegate for the object at hand.
     result = TryCallAsFunction(result);
     if (result->IsJSFunction()) return result;
 
     // Otherwise, it will fail in the lookup step.
   }
 
   // Lookup the property in the object.
   LookupResult lookup;
   LookupForRead(*object, *name, &lookup);
 
   if (!lookup.IsValid()) {
     // If the object does not have the requested property, check which
     // exception we need to throw.
     if (is_contextual()) {
       return ReferenceError("not_defined", name);
     }
     return TypeError("undefined_method", object, name);
   }
 
   // Lookup is valid: Update inline cache and stub cache.
   if (FLAG_use_ic && lookup.IsLoaded()) {
     UpdateCaches(&lookup, state, object, name);
   }
 
   // Get the property.
   PropertyAttributes attr;
-  result = object->GetProperty(*object, &lookup, *name, &attr);
+  Object* result = object->GetProperty(*object, &lookup, *name, &attr);
   if (result->IsFailure()) return result;
   if (lookup.type() == INTERCEPTOR) {
     // If the object does not have the requested property, check which
     // exception we need to throw.
     if (attr == ABSENT) {
       if (is_contextual()) {
         return ReferenceError("not_defined", name);
       }
       return TypeError("undefined_method", object, name);
     }
   }
 
-  ASSERT(result != Heap::the_hole_value());
+  ASSERT(!result->IsTheHole());
 
   if (result->IsJSFunction()) {
     // Check if there is an optimized (builtin) version of the function.
     // Ignored this will degrade performance for Array.prototype.{push,pop}.
     // Please note we only return the optimized function iff
     // the JSObject has FastElements.
     if (object->IsJSObject() && JSObject::cast(*object)->HasFastElements()) {
       Object* opt = Top::LookupSpecialFunction(JSObject::cast(*object),
                                                lookup.holder(),
                                                JSFunction::cast(result));
@@ skipping 110 matching lines @@
     set_target(Code::cast(code));
   }
 
 #ifdef DEBUG
   TraceIC("CallIC", name, state, target(), in_loop ? " (in-loop)" : "");
 #endif
 }
 
 
 Object* LoadIC::Load(State state, Handle<Object> object, Handle<String> name) {
+  object = UnholeForBug16276(object);
+
   // If the object is undefined or null it's illegal to try to get any
   // of its properties; throw a TypeError in that case.
   if (object->IsUndefined() || object->IsNull()) {
     return TypeError("non_object_property_load", object, name);
   }
 
   if (FLAG_use_ic) {
     // Use specialized code for getting the length of strings and
     // string wrapper objects.  The length property of string wrapper
     // objects is read-only and therefore always returns the length of
@@ skipping 192 matching lines @@
 
 #ifdef DEBUG
   TraceIC("LoadIC", name, state, target());
 #endif
 }
 
 
 Object* KeyedLoadIC::Load(State state,
                           Handle<Object> object,
                           Handle<Object> key) {
+  object = UnholeForBug16276(object);
+
   if (key->IsSymbol()) {
     Handle<String> name = Handle<String>::cast(key);
 
     // If the object is undefined or null it's illegal to try to get any
     // of its properties; throw a TypeError in that case.
     if (object->IsUndefined() || object->IsNull()) {
       return TypeError("non_object_property_load", object, name);
     }
 
     if (FLAG_use_ic) {
@@ skipping 205 matching lines @@
   }
 
   return true;
 }
 
 
 Object* StoreIC::Store(State state,
                        Handle<Object> object,
                        Handle<String> name,
                        Handle<Object> value) {
+  object = UnholeForBug16276(object);
+
   // If the object is undefined or null it's illegal to try to set any
   // properties on it; throw a TypeError in that case.
   if (object->IsUndefined() || object->IsNull()) {
     return TypeError("non_object_property_store", object, name);
   }
 
   // Ignore stores where the receiver is not a JSObject.
   if (!object->IsJSObject()) return *value;
   Handle<JSObject> receiver = Handle<JSObject>::cast(object);
 
@@ skipping 98 matching lines @@
 #ifdef DEBUG
   TraceIC("StoreIC", name, state, target());
 #endif
 }
 
 
 Object* KeyedStoreIC::Store(State state,
                             Handle<Object> object,
                             Handle<Object> key,
                             Handle<Object> value) {
+  object = UnholeForBug16276(object);
+
   if (key->IsSymbol()) {
     Handle<String> name = Handle<String>::cast(key);
 
-    // If the object is undefined or null it's illegal to try to set any
-    // properties on it; throw a TypeError in that case.
+    // If the object is undefined or null it's illegal to try to set
+    // any properties on it; throw a TypeError in that case.
     if (object->IsUndefined() || object->IsNull()) {
       return TypeError("non_object_property_store", object, name);
     }
 
     // Ignore stores where the receiver is not a JSObject.
     if (!object->IsJSObject()) return *value;
     Handle<JSObject> receiver = Handle<JSObject>::cast(object);
 
     // Check if the given name is an array index.
     uint32_t index;
@@ skipping 276 matching lines @@
 #undef ADDR
 };
 
 
 Address IC::AddressFromUtilityId(IC::UtilityId id) {
   return IC_utilities[id];
 }
 
 
 } }  // namespace v8::internal