| Index: src/ic.cc
|
| diff --git a/src/ic.cc b/src/ic.cc
|
| index 11cd7ecd705385d9e37ca8783ed602f48ca47cc7..55d7ba936fb3068d105d2af10673aa31b4d1896c 100644
|
| --- a/src/ic.cc
|
| +++ b/src/ic.cc
|
| @@ -370,18 +370,6 @@ void IC::TryRemoveInvalidHandlers(Handle<Map> map, Handle<String> name) {
|
|
|
| void IC::UpdateState(Handle<Object> receiver, Handle<Object> name) {
|
| if (!name->IsString()) return;
|
| -
|
| - // The builtins object is special. It only changes when JavaScript
|
| - // builtins are loaded lazily. It is important to keep inline
|
| - // caches for the builtins object monomorphic. Therefore, if we get
|
| - // an inline cache miss for the builtins object after lazily loading
|
| - // JavaScript builtins, we return uninitialized as the state to
|
| - // force the inline cache back to monomorphic state.
|
| - if (receiver->IsJSBuiltinsObject()) {
|
| - state_ = UNINITIALIZED;
|
| - return;
|
| - }
|
| -
|
| if (state() != MONOMORPHIC) {
|
| if (state() == POLYMORPHIC && receiver->IsHeapObject()) {
|
| TryRemoveInvalidHandlers(
|
| @@ -399,6 +387,14 @@ void IC::UpdateState(Handle<Object> receiver, Handle<Object> name) {
|
| receiver, Handle<String>::cast(name))) {
|
| return MarkMonomorphicPrototypeFailure();
|
| }
|
| +
|
| + // The builtins object is special. It only changes when JavaScript
|
| + // builtins are loaded lazily. It is important to keep inline
|
| + // caches for the builtins object monomorphic. Therefore, if we get
|
| + // an inline cache miss for the builtins object after lazily loading
|
| + // JavaScript builtins, we return uninitialized as the state to
|
| + // force the inline cache back to monomorphic state.
|
| + if (receiver->IsJSBuiltinsObject()) state_ = UNINITIALIZED;
|
| }
|
|
|
|
|
|
|
Chromium Code Reviews
Issue 59103005:
Proper fix for the issue exposed by r17459 (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge