Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(929)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/objects.cc

Issue 2512183002: [ic] Ensure prototype validity cell guards global object's prototype changes for LoadGlobalIC. (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-666742.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 the V8 project authors. All rights reserved. 1 // Copyright 2015 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/objects.h" 5 #include "src/objects.h"
6 6
7 #include <cmath> 7 #include <cmath>
8 #include <iomanip> 8 #include <iomanip>
9 #include <memory> 9 #include <memory>
10 #include <sstream> 10 #include <sstream>
(...skipping 12760 matching lines...) Expand 10 before | Expand all | Expand 10 after
12771 if (value == false && !map->prototype_info()->IsPrototypeInfo()) { 12771 if (value == false && !map->prototype_info()->IsPrototypeInfo()) {
12772 // "False" is the implicit default value, so there's nothing to do. 12772 // "False" is the implicit default value, so there's nothing to do.
12773 return; 12773 return;
12774 } 12774 }
12775 GetOrCreatePrototypeInfo(map, isolate)->set_should_be_fast_map(value); 12775 GetOrCreatePrototypeInfo(map, isolate)->set_should_be_fast_map(value);
12776 } 12776 }
12777 12777
12778 // static 12778 // static
12779 Handle<Cell> Map::GetOrCreatePrototypeChainValidityCell(Handle<Map> map, 12779 Handle<Cell> Map::GetOrCreatePrototypeChainValidityCell(Handle<Map> map,
12780 Isolate* isolate) { 12780 Isolate* isolate) {
12781 Handle<Object> maybe_prototype( 12781 Handle<Object> maybe_prototype;
12782 map->GetPrototypeChainRootMap(isolate)->prototype(), isolate); 12782 if (map->IsJSGlobalObjectMap()) {
12783 if (!maybe_prototype->IsJSObject()) return Handle<Cell>::null(); 12783 DCHECK(map->is_prototype_map());
12784 // Global object is prototype of a global proxy and therefore we can
12785 // use its validity cell for guarding global object's prototype change.
12786 maybe_prototype = isolate->global_object();
12787 } else {
12788 maybe_prototype =
12789 handle(map->GetPrototypeChainRootMap(isolate)->prototype(), isolate);
12790 if (!maybe_prototype->IsJSObject()) return Handle<Cell>::null();
12791 }
12784 Handle<JSObject> prototype = Handle<JSObject>::cast(maybe_prototype); 12792 Handle<JSObject> prototype = Handle<JSObject>::cast(maybe_prototype);
12785 // Ensure the prototype is registered with its own prototypes so its cell 12793 // Ensure the prototype is registered with its own prototypes so its cell
12786 // will be invalidated when necessary. 12794 // will be invalidated when necessary.
12787 JSObject::LazyRegisterPrototypeUser(handle(prototype->map(), isolate), 12795 JSObject::LazyRegisterPrototypeUser(handle(prototype->map(), isolate),
12788 isolate); 12796 isolate);
12789 Handle<PrototypeInfo> proto_info = 12797 Handle<PrototypeInfo> proto_info =
12790 GetOrCreatePrototypeInfo(prototype, isolate); 12798 GetOrCreatePrototypeInfo(prototype, isolate);
12791 Object* maybe_cell = proto_info->validity_cell(); 12799 Object* maybe_cell = proto_info->validity_cell();
12792 // Return existing cell if it's still valid. 12800 // Return existing cell if it's still valid.
12793 if (maybe_cell->IsCell()) { 12801 if (maybe_cell->IsCell()) {
(...skipping 7628 matching lines...) Expand 10 before | Expand all | Expand 10 after
20422 // depend on this. 20430 // depend on this.
20423 return DICTIONARY_ELEMENTS; 20431 return DICTIONARY_ELEMENTS;
20424 } 20432 }
20425 DCHECK_LE(kind, LAST_ELEMENTS_KIND); 20433 DCHECK_LE(kind, LAST_ELEMENTS_KIND);
20426 return kind; 20434 return kind;
20427 } 20435 }
20428 } 20436 }
20429 20437
20430 } // namespace internal 20438 } // namespace internal
20431 } // namespace v8 20439 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-666742.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698