[turbofan] Fix another bug in InferHasInPrototypeChain

Bug: v8:9087 Change-Id: Ia806686b47f0e6ddc89f6b043df65ab8a931bbf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552798Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#60644}

[turbofan] Fix another bug in InferHasInPrototypeChain
Bug: v8:9087 Change-Id: Ia806686b47f0e6ddc89f6b043df65ab8a931bbf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552798Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#60644}
31af63a4 · Georg Neis · Commit Bot · 1fb26d83 · 31af63a4
Commit 31af63a4 authored Apr 05, 2019 by Georg Neis Committed by Commit Bot Apr 05, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +7 -1

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -569,7 +569,13 @@ JSNativeContextSpecialization::InferHasInPrototypeChain(
  {
    base::Optional<JSObjectRef> last_prototype;
    if (all) {
-      // We don't need to protect the full chain if we found the prototype.
+      // We don't need to protect the full chain if we found the prototype, we
+      // can stop at {prototype}.  In fact we could stop at the one before
+      // {prototype} but since we're dealing with multiple receiver maps this
+      // might be a different object each time, so it's much simpler to include
+      // {prototype}. That does, however, mean that we must check {prototype}'s
+      // map stability.
+      if (!prototype->map()->is_stable()) return kMayBeInPrototypeChain;
      last_prototype.emplace(broker(), Handle<JSObject>::cast(prototype));
    }
    WhereToStart start = result == NodeProperties::kUnreliableReceiverMaps