[turbofan] Ensure that all prototypes are stable for push/pop.

When lowering Array.prototype.push/.pop to the fast inlined version, we first need to ensure that all prototypes (including the Object.prototype) are stable. R=mvstanton@chromium.org BUG=chromium:644689 Review-Url: https://codereview.chromium.org/2319533005 Cr-Commit-Position: refs/heads/master@{#39266}

[turbofan] Ensure that all prototypes are stable for push/pop.
When lowering Array.prototype.push/.pop to the fast inlined version, we first need to ensure that all prototypes (including the Object.prototype) are stable. R=mvstanton@chromium.org BUG=chromium:644689 Review-Url: https://codereview.chromium.org/2319533005 Cr-Commit-Position: refs/heads/master@{#39266}
4ed27fc8 · bmeurer · Commit bot · 0ef20b51 · 4ed27fc8 · 4ed27fc8
Commit 4ed27fc8 authored Sep 08, 2016 by bmeurer Committed by Commit bot Sep 08, 2016
3 changed files
--- a/src/compiler/js-builtin-reducer.cc
+++ b/src/compiler/js-builtin-reducer.cc
@@ -145,11 +145,16 @@ bool CanInlineArrayResizeOperation(Handle<Map> receiver_map) {
  if (!receiver_map->prototype()->IsJSArray()) return false;
  Handle<JSArray> receiver_prototype(JSArray::cast(receiver_map->prototype()),
                                     isolate);
+  // Ensure that all prototypes of the {receiver} are stable.
+  for (PrototypeIterator it(isolate, receiver_prototype, kStartAtReceiver);
+       !it.IsAtEnd(); it.Advance()) {
+    Handle<JSReceiver> current = PrototypeIterator::GetCurrent<JSReceiver>(it);
+    if (!current->map()->is_stable()) return false;
+  }
  return receiver_map->instance_type() == JS_ARRAY_TYPE &&
         IsFastElementsKind(receiver_map->elements_kind()) &&
         !receiver_map->is_dictionary_map() && receiver_map->is_extensible() &&
         (!receiver_map->is_prototype_map() || receiver_map->is_stable()) &&
-         receiver_prototype->map()->is_stable() &&
         isolate->IsFastArrayConstructorPrototypeChainIntact() &&
         isolate->IsAnyInitialArrayPrototype(receiver_prototype) &&
         !IsReadOnlyLengthDescriptor(receiver_map);

--- a/test/mjsunit/regress/regress-crbug-644689-1.js
+++ b/test/mjsunit/regress/regress-crbug-644689-1.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (var i = 0; i < 1024; ++i) Object.prototype["i" + i] = i;
+
+function foo() { [].push(1); }
+
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
--- a/test/mjsunit/regress/regress-crbug-644689-2.js
+++ b/test/mjsunit/regress/regress-crbug-644689-2.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (var i = 0; i < 1024; ++i) Object.prototype["i" + i] = i;
+
+function foo() { [1].pop(); }
+
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();