Restore intended LoadIC behavior for JSBuiltinsObject

R=danno@chromium.org

Review URL: https://codereview.chromium.org/48343004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17462 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 2ebfd6e9
......@@ -370,6 +370,18 @@ void IC::TryRemoveInvalidHandlers(Handle<Map> map, Handle<String> name) {
void IC::UpdateState(Handle<Object> receiver, Handle<Object> name) {
if (!name->IsString()) return;
// The builtins object is special. It only changes when JavaScript
// builtins are loaded lazily. It is important to keep inline
// caches for the builtins object monomorphic. Therefore, if we get
// an inline cache miss for the builtins object after lazily loading
// JavaScript builtins, we return uninitialized as the state to
// force the inline cache back to monomorphic state.
if (receiver->IsJSBuiltinsObject()) {
state_ = UNINITIALIZED;
return;
}
if (state() != MONOMORPHIC) {
if (state() == POLYMORPHIC && receiver->IsHeapObject()) {
TryRemoveInvalidHandlers(
......@@ -387,14 +399,6 @@ void IC::UpdateState(Handle<Object> receiver, Handle<Object> name) {
receiver, Handle<String>::cast(name))) {
return MarkMonomorphicPrototypeFailure();
}
// The builtins object is special. It only changes when JavaScript
// builtins are loaded lazily. It is important to keep inline
// caches for the builtins object monomorphic. Therefore, if we get
// an inline cache miss for the builtins object after lazily loading
// JavaScript builtins, we return uninitialized as the state to
// force the inline cache back to monomorphic state.
if (receiver->IsJSBuiltinsObject()) state_ = UNINITIALIZED;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment