Commit 36e80d38 authored by Mythri A's avatar Mythri A Committed by Commit Bot

[ic] Use slow stub if typed arrays are in prototype chain of JSObjects

The fast store handlers create elements and if we have a typed array
on the prototype chain it is not easy to check when it is OK to create
new elements. The TypedArrays swallow all OOB stores, and there is no
easy way to check if the current store is OOB for JSObjects. So use
slow stub when there are typed arrays on the prorotype chain of
JSObjects.

Bug: chromium:1068492
Change-Id: I9eea9cf00e3eb84931c5545d18ba53c4ec39f353
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134138
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67226}
parent 07336053
......@@ -2164,13 +2164,13 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
} else if (object->IsJSArray() && IsGrowStoreMode(store_mode) &&
JSArray::HasReadOnlyLength(Handle<JSArray>::cast(object))) {
set_slow_stub_reason("array has read only length");
} else if (object->IsJSArray() && MayHaveTypedArrayInPrototypeChain(
} else if (object->IsJSObject() && MayHaveTypedArrayInPrototypeChain(
Handle<JSObject>::cast(object))) {
// Make sure we don't handle this in IC if there's any JSTypedArray in
// the {receiver}'s prototype chain, since that prototype is going to
// swallow all stores that are out-of-bounds for said prototype, and we
// just let the runtime deal with the complexity of this.
set_slow_stub_reason("typed array in the prototype chain of an Array");
set_slow_stub_reason("typed array in the prototype chain");
} else if (key_is_valid_index) {
if (old_receiver_map->is_abandoned_prototype_map()) {
set_slow_stub_reason("receiver with prototype map");
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
v = {};
v.__proto__ = new Int32Array(1);
function foo() {
for (var i = 0; i < 2; i++) {
v[i] = 0;
}
}
foo();
assertEquals(Object.keys(v).length, 1);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment