| OLD | NEW |
|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/code-stub-assembler.h" | 5 #include "src/code-stub-assembler.h" |
| 6 #include "src/code-factory.h" | 6 #include "src/code-factory.h" |
| 7 #include "src/frames-inl.h" | 7 #include "src/frames-inl.h" |
| 8 #include "src/frames.h" | 8 #include "src/frames.h" |
| 9 #include "src/ic/handler-configuration.h" | 9 #include "src/ic/handler-configuration.h" |
| 10 #include "src/ic/stub-cache.h" | 10 #include "src/ic/stub-cache.h" |
| (...skipping 3819 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3830 | 3830 |
| 3831 GotoUnless(UintPtrLessThan(intptr_index, length), &if_oob); | 3831 GotoUnless(UintPtrLessThan(intptr_index, length), &if_oob); |
| 3832 | 3832 |
| 3833 // Check if the element is a double hole, but don't load it. | 3833 // Check if the element is a double hole, but don't load it. |
| 3834 LoadFixedDoubleArrayElement(elements, intptr_index, MachineType::None(), 0, | 3834 LoadFixedDoubleArrayElement(elements, intptr_index, MachineType::None(), 0, |
| 3835 INTPTR_PARAMETERS, if_not_found); | 3835 INTPTR_PARAMETERS, if_not_found); |
| 3836 Goto(if_found); | 3836 Goto(if_found); |
| 3837 } | 3837 } |
| 3838 Bind(&if_isdictionary); | 3838 Bind(&if_isdictionary); |
| 3839 { | 3839 { |
| 3840 // Negative keys must be converted to property names. |
| 3841 GotoIf(IntPtrLessThan(intptr_index, IntPtrConstant(0)), if_bailout); |
| 3842 |
| 3840 Variable var_entry(this, MachineType::PointerRepresentation()); | 3843 Variable var_entry(this, MachineType::PointerRepresentation()); |
| 3841 Node* elements = LoadElements(object); | 3844 Node* elements = LoadElements(object); |
| 3842 NumberDictionaryLookup<SeededNumberDictionary>( | 3845 NumberDictionaryLookup<SeededNumberDictionary>( |
| 3843 elements, intptr_index, if_found, &var_entry, if_not_found); | 3846 elements, intptr_index, if_found, &var_entry, if_not_found); |
| 3844 } | 3847 } |
| 3845 Bind(&if_isfaststringwrapper); | 3848 Bind(&if_isfaststringwrapper); |
| 3846 { | 3849 { |
| 3847 AssertInstanceType(object, JS_VALUE_TYPE); | 3850 AssertInstanceType(object, JS_VALUE_TYPE); |
| 3848 Node* string = LoadJSValueValue(object); | 3851 Node* string = LoadJSValueValue(object); |
| 3849 Assert(IsStringInstanceType(LoadInstanceType(string))); | 3852 Assert(IsStringInstanceType(LoadInstanceType(string))); |
| (...skipping 2022 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5872 Heap::kTheHoleValueRootIndex); | 5875 Heap::kTheHoleValueRootIndex); |
| 5873 | 5876 |
| 5874 // Store the WeakCell in the feedback vector. | 5877 // Store the WeakCell in the feedback vector. |
| 5875 StoreFixedArrayElement(feedback_vector, slot, cell, UPDATE_WRITE_BARRIER, | 5878 StoreFixedArrayElement(feedback_vector, slot, cell, UPDATE_WRITE_BARRIER, |
| 5876 CodeStubAssembler::SMI_PARAMETERS); | 5879 CodeStubAssembler::SMI_PARAMETERS); |
| 5877 return cell; | 5880 return cell; |
| 5878 } | 5881 } |
| 5879 | 5882 |
| 5880 } // namespace internal | 5883 } // namespace internal |
| 5881 } // namespace v8 | 5884 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2585323002:
Merged: [stubs] Fix negative index lookup in hasOwnProperty (Closed)
