• Benedikt Meurer's avatar
    [turbofan] Fix CanTreatHoleAsUndefined check. · e1e35df3
    Benedikt Meurer authored
    The test for CanTreatHoleAsUndefined on keyed element access was
    checking for stability of Object.prototype and Array.prototype and
    even adding stability dependencies on both, which is too restrictive
    and leads to unnecessary deoptimizations (and might disable further
    optimization of the keyed access depending on the state of the
    prototype objects during optimization). This was not intended and
    is considered a (performance) bug.
    
    Instead use the correct approach of checking whether the receiver's
    prototype is one of the current Object.prototype or Array.prototype
    objects (since the Array protector works isolate-wide), and then
    check the Array protector and install an appropriate code dependency
    on the protector only.
    
    Bug: v8:6607
    Change-Id: I0bcfe32813ca3693e7b22de31b03edb3509d0a27
    Reviewed-on: https://chromium-review.googlesource.com/574849Reviewed-by: 's avatarDaniel Clifford <danno@chromium.org>
    Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#46743}
    e1e35df3
js-native-context-specialization.cc 105 KB