• sgjesse@chromium.org's avatar
    Handle overwriting valueOf on String objects correctly when adding · 8e0cd6db
    sgjesse@chromium.org authored
    This adds a check to the fast case string add to ensure that the String object still have the default valueOf function. The default valueOf is sitting on a hidden prototype of String.prototype.
    
    Before using the fast case valueOf the object is checked for a local valueOf property. For slow case objects this check always reports true (the dictionary is not probed, so valueOf might be there) and for fast case objects the descriptor array is checked for the valueOf symbol (just liniar scan). After that the prototype is checked for beeing the initial value of String.prototype. If this all pass (that is the default valueOf is still in place) this result is cached on the map making the check fast the next time.
    
    This is only implemented in the optimizing compiler, as the two usages of %_IsStringWrapperSafeForDefaultValueOf is never hit by the full compiler.
    
    I will port to x64 and ARM when this has been reviewed for ia32.
    
    I will remove the performance counters prior to final commit.
    
    BUG=http://code.google.com/p/v8/issues/detail?id=760
    TEST=test/mjsunit/regress/regress-760-1.js
    TEST=test/mjsunit/regress/regress-760-2.js
    
    Review URL: http://codereview.chromium.org/3117006
    
    git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5252 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
    8e0cd6db
codegen-ia32.cc 497 KB