Commit 1e3c3876 authored by Suraj Sharma's avatar Suraj Sharma Committed by Commit Bot

Modify the DCHECK in when computing KeyedAccessStoreMode.

Since slow handler was previously not a Smi. The DCHECK assumed any
Smi Handler on this path should be a proxy handler. Now it Checks for
both, and should continue if the current handler is a slow handler.

Bug: chromium:1008632
Change-Id: I079960894d7320d8d658d0990e8c32db51703206
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1828480Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#64052}
parent f9aa377d
......@@ -1203,9 +1203,11 @@ KeyedAccessStoreMode FeedbackNexus::GetKeyedAccessStoreMode() const {
handler = handle(Code::cast(data_handler->smi_handler()),
vector().GetIsolate());
} else if (maybe_code_handler.object()->IsSmi()) {
// Skip proxy handlers.
DCHECK_EQ(*(maybe_code_handler.object()),
*StoreHandler::StoreProxy(GetIsolate()));
// Skip proxy handlers and the slow handler.
DCHECK(*(maybe_code_handler.object()) ==
*StoreHandler::StoreProxy(GetIsolate()) ||
*(maybe_code_handler.object()) ==
*StoreHandler::StoreSlow(GetIsolate()));
continue;
} else {
// Element store without prototype chain check.
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
var __v_9690 = function () {};
try {
(function () {
__f_1653();
})()
} catch (__v_9763) {
}
function __f_1653(__v_9774, __v_9775) {
try {
} catch (e) {}
__v_9774[__v_9775 + 4] = 2;
}
(function () {
%PrepareFunctionForOptimization(__f_1653);
__f_1653(__v_9690, true);
%OptimizeFunctionOnNextCall(__f_1653);
assertThrows(() => __f_1653(), TypeError);
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment