[compiler] Fix a bug in global property access reduction

Bug: chromium:1247763 Change-Id: I6f09d5113ef7e4774032ea586d5a1ada98aa4b1b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3149462Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/main@{#76752}

[compiler] Fix a bug in global property access reduction
Bug: chromium:1247763 Change-Id: I6f09d5113ef7e4774032ea586d5a1ada98aa4b1b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3149462Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/main@{#76752}
6391d7a5 · Georg Neis · V8 LUCI CQ · 62ed75a1 · 6391d7a5
Commit 6391d7a5 authored Sep 09, 2021 by Georg Neis Committed by V8 LUCI CQ Sep 09, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 11 deletions

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +7 -11

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -804,6 +804,12 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
      return NoChange();
    } else if (property_cell_type == PropertyCellType::kUndefined) {
      return NoChange();
+    } else if (property_cell_type == PropertyCellType::kConstantType) {
+      // We rely on stability further below.
+      if (property_cell_value.IsHeapObject() &&
+          !property_cell_value.AsHeapObject().map().is_stable()) {
+        return NoChange();
+      }
    }
  } else if (access_mode == AccessMode::kHas) {
    DCHECK_EQ(receiver, lookup_start_object);
@@ -922,17 +928,7 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
        if (property_cell_value.IsHeapObject()) {
          MapRef property_cell_value_map =
              property_cell_value.AsHeapObject().map();
-          if (property_cell_value_map.is_stable()) {
-            dependencies()->DependOnStableMap(property_cell_value_map);
-          } else {
-            // The value's map is already unstable. If this store were to go
-            // through the C++ runtime, it would transition the PropertyCell to
-            // kMutable. We don't want to change the cell type from generated
-            // code (to simplify concurrent heap access), however, so we keep
-            // it as kConstantType and do the store anyways (if the new value's
-            // map matches). This is safe because it merely prolongs the limbo
-            // state that we are in already.
-          }
+          dependencies()->DependOnStableMap(property_cell_value_map);

          // Check that the {value} is a HeapObject.
          value = effect = graph()->NewNode(simplified()->CheckHeapObject(),