• Matt Gardner's avatar
    Reland "Optimize `in` operator" · 803ad324
    Matt Gardner authored
    The original was reverted for breaking webkit layout tests:
    https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/30270
    
    It also caused the following clusterfuzz failures:
    
    chromium:935832
    This was a correctness bug due to not properly handling the case of arrays with prototypes other
    than Array.prototype. Accesses that were TheHole were not being handled property, both in bounds
    holes in holey arrays and out of bounds on either holey or packed arrays. Handling was incorrect
    both in access-assembler and in Turbofan.
    
    chromium:935932
    This bug was that there was no handling for Has checks on the global object. Turbofan was emitting
    code for a store (the 'else' condition on 'access_mode == AccessMode::kLoad'). It hit a DCHECK in
    debug builds but in release could show up in different places. This is the bug that caused the
    webkit layout test failure that led to the revert.
    
    Both bugs are fixed by in CL, and tests are added for those cases.
    
    Bug: v8:8733, chromium:935932, chromium:935832
    Change-Id: Iba0dfcfce6e15d2c0815a7670ece67bc13ba1925
    Reviewed-on: https://chromium-review.googlesource.com/c/1493132Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
    Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
    Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
    Commit-Queue: Matt Gardner <magardn@microsoft.com>
    Cr-Commit-Position: refs/heads/master@{#59958}
    803ad324
js-native-context-specialization.cc 145 KB