Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(245)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/ic/ic.cc

Issue 1894203002: Fix polymorphic keyed load handler selection for proxies. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-603463.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/ic/ic.h" 5 #include "src/ic/ic.h"
6 6
7 #include "src/accessors.h" 7 #include "src/accessors.h"
8 #include "src/api.h" 8 #include "src/api.h"
9 #include "src/api-arguments.h" 9 #include "src/api-arguments.h"
10 #include "src/arguments.h" 10 #include "src/arguments.h"
(...skipping 1130 matching lines...) Expand 10 before | Expand all | Expand 10 after
1141 } 1141 }
1142 } 1142 }
1143 } else if (key->IsUndefined()) { 1143 } else if (key->IsUndefined()) {
1144 key = isolate->factory()->undefined_string(); 1144 key = isolate->factory()->undefined_string();
1145 } 1145 }
1146 return key; 1146 return key;
1147 } 1147 }
1148 1148
1149 void KeyedLoadIC::UpdateLoadElement(Handle<HeapObject> receiver) { 1149 void KeyedLoadIC::UpdateLoadElement(Handle<HeapObject> receiver) {
1150 Handle<Map> receiver_map(receiver->map(), isolate()); 1150 Handle<Map> receiver_map(receiver->map(), isolate());
1151 DCHECK(receiver_map->instance_type() != JS_VALUE_TYPE); // Checked by caller. 1151 DCHECK(receiver_map->instance_type() != JS_VALUE_TYPE &&
1152 receiver_map->instance_type() != JS_PROXY_TYPE); // Checked by caller.
1152 MapHandleList target_receiver_maps; 1153 MapHandleList target_receiver_maps;
1153 TargetMaps(&target_receiver_maps); 1154 TargetMaps(&target_receiver_maps);
1154 1155
1155 if (target_receiver_maps.length() == 0) { 1156 if (target_receiver_maps.length() == 0) {
1156 Handle<Code> handler = 1157 Handle<Code> handler =
1157 PropertyICCompiler::ComputeKeyedLoadMonomorphicHandler( 1158 PropertyICCompiler::ComputeKeyedLoadMonomorphicHandler(
1158 receiver_map, extra_ic_state()); 1159 receiver_map, extra_ic_state());
1159 return ConfigureVectorState(Handle<Name>(), receiver_map, handler); 1160 return ConfigureVectorState(Handle<Name>(), receiver_map, handler);
1160 } 1161 }
1161 1162
1162 for (int i = 0; i < target_receiver_maps.length(); i++) { 1163 for (int i = 0; i < target_receiver_maps.length(); i++) {
1163 if (!target_receiver_maps.at(i).is_null() && 1164 Handle<Map> map = target_receiver_maps.at(i);
1164 target_receiver_maps.at(i)->instance_type() == JS_VALUE_TYPE) { 1165 if (map.is_null()) continue;
1166 if (map->instance_type() == JS_VALUE_TYPE) {
1165 TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "JSValue"); 1167 TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "JSValue");
1166 return; 1168 return;
1167 } 1169 }
1170 if (map->instance_type() == JS_PROXY_TYPE) {
1171 TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "JSProxy");
1172 return;
1173 }
1168 } 1174 }
1169 1175
1170 // The first time a receiver is seen that is a transitioned version of the 1176 // The first time a receiver is seen that is a transitioned version of the
1171 // previous monomorphic receiver type, assume the new ElementsKind is the 1177 // previous monomorphic receiver type, assume the new ElementsKind is the
1172 // monomorphic type. This benefits global arrays that only transition 1178 // monomorphic type. This benefits global arrays that only transition
1173 // once, and all call sites accessing them are faster if they remain 1179 // once, and all call sites accessing them are faster if they remain
1174 // monomorphic. If this optimistic assumption is not true, the IC will 1180 // monomorphic. If this optimistic assumption is not true, the IC will
1175 // miss again and it will become polymorphic and support both the 1181 // miss again and it will become polymorphic and support both the
1176 // untransitioned and transitioned maps. 1182 // untransitioned and transitioned maps.
1177 if (state() == MONOMORPHIC && !receiver->IsString() && 1183 if (state() == MONOMORPHIC && !receiver->IsString() &&
(...skipping 1559 matching lines...) Expand 10 before | Expand all | Expand 10 after
2737 KeyedLoadICNexus nexus(vector, vector_slot); 2743 KeyedLoadICNexus nexus(vector, vector_slot);
2738 KeyedLoadIC ic(IC::EXTRA_CALL_FRAME, isolate, &nexus); 2744 KeyedLoadIC ic(IC::EXTRA_CALL_FRAME, isolate, &nexus);
2739 ic.UpdateState(receiver, key); 2745 ic.UpdateState(receiver, key);
2740 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key)); 2746 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
2741 } 2747 }
2742 2748
2743 return *result; 2749 return *result;
2744 } 2750 }
2745 } // namespace internal 2751 } // namespace internal
2746 } // namespace v8 2752 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-603463.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698