| Index: src/ic/arm64/ic-arm64.cc
|
| diff --git a/src/ic/arm64/ic-arm64.cc b/src/ic/arm64/ic-arm64.cc
|
| index 13dd3913aedecfa1269663903c6702e71bda2d4e..41e1678b7ca1ed04d1309b60f90446432bcee6eb 100644
|
| --- a/src/ic/arm64/ic-arm64.cc
|
| +++ b/src/ic/arm64/ic-arm64.cc
|
| @@ -657,9 +657,12 @@ void KeyedStoreIC::GenerateMegamorphic(MacroAssembler* masm,
|
| Register instance_type = x10;
|
| __ CompareInstanceType(receiver_map, instance_type, JS_ARRAY_TYPE);
|
| __ B(eq, &array);
|
| - // Check that the object is some kind of JSObject.
|
| - __ Cmp(instance_type, FIRST_JS_OBJECT_TYPE);
|
| - __ B(lt, &slow);
|
| + // Check that the object is some kind of JS object EXCEPT JS Value type. In
|
| + // the case that the object is a value-wrapper object, we enter the runtime
|
| + // system to make sure that indexing into string objects works as intended.
|
| + STATIC_ASSERT(JS_VALUE_TYPE < JS_OBJECT_TYPE);
|
| + __ Cmp(instance_type, JS_OBJECT_TYPE);
|
| + __ B(lo, &slow);
|
|
|
| // Object case: Check key against length in the elements array.
|
| __ Ldr(elements, FieldMemOperand(receiver, JSObject::kElementsOffset));
|
|
|
Chromium Code Reviews
Issue 1228063004:
Fix keyed element access wrt string wrappers (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master