| Index: src/ic/ic.cc
|
| diff --git a/src/ic/ic.cc b/src/ic/ic.cc
|
| index 2d2307a1b08972080d258d5ba87d70b1bdd6f8e3..63d032c566bf2027b5bf0470aff19cc810907f48 100644
|
| --- a/src/ic/ic.cc
|
| +++ b/src/ic/ic.cc
|
| @@ -1148,7 +1148,8 @@ static Handle<Object> TryConvertKey(Handle<Object> key, Isolate* isolate) {
|
|
|
| void KeyedLoadIC::UpdateLoadElement(Handle<HeapObject> receiver) {
|
| Handle<Map> receiver_map(receiver->map(), isolate());
|
| - DCHECK(receiver_map->instance_type() != JS_VALUE_TYPE); // Checked by caller.
|
| + DCHECK(receiver_map->instance_type() != JS_VALUE_TYPE &&
|
| + receiver_map->instance_type() != JS_PROXY_TYPE); // Checked by caller.
|
| MapHandleList target_receiver_maps;
|
| TargetMaps(&target_receiver_maps);
|
|
|
| @@ -1160,11 +1161,16 @@ void KeyedLoadIC::UpdateLoadElement(Handle<HeapObject> receiver) {
|
| }
|
|
|
| for (int i = 0; i < target_receiver_maps.length(); i++) {
|
| - if (!target_receiver_maps.at(i).is_null() &&
|
| - target_receiver_maps.at(i)->instance_type() == JS_VALUE_TYPE) {
|
| + Handle<Map> map = target_receiver_maps.at(i);
|
| + if (map.is_null()) continue;
|
| + if (map->instance_type() == JS_VALUE_TYPE) {
|
| TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "JSValue");
|
| return;
|
| }
|
| + if (map->instance_type() == JS_PROXY_TYPE) {
|
| + TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "JSProxy");
|
| + return;
|
| + }
|
| }
|
|
|
| // The first time a receiver is seen that is a transitioned version of the
|
|
|
Chromium Code Reviews
Issue 1894203002:
Fix polymorphic keyed load handler selection for proxies. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master