• Georg Neis's avatar
    [compiler] Fix use of HeapObjectMatcher · 27900f17
    Georg Neis authored
    In a few places we incorrectly assumed to know the instance type of the
    heap object. In particular, in JSCallReducer::ReduceDataViewAccess,
    doing map inference on the receiver and determining that all maps are
    JSDataView maps does not guarantee that the receiver is a JSDataView
    constant because we might deopt before getting to the data view
    operation.
    
    Bug: chromium:1146652
    Change-Id: I1611308c3ebe0d33fa6b0cf0938d777b4e6449ff
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2524440
    Auto-Submit: Georg Neis <neis@chromium.org>
    Commit-Queue: Maya Lekova <mslekova@chromium.org>
    Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#71034}
    27900f17
js-native-context-specialization.cc 144 KB