Fix polymorphic keyed load handler selection for string elements

The monomorphic case already carefully ensures that we don't try to use a regular elements load stub on string wrapper elements. The polymorphic path must perform an equivalent check. BUG=chromium:594955 LOG=n R=verwaest@chromium.org Review URL: https://codereview.chromium.org/1806543002 Cr-Commit-Position: refs/heads/master@{#34807}

Fix polymorphic keyed load handler selection for string elements
The monomorphic case already carefully ensures that we don't try to use a regular elements load stub on string wrapper elements. The polymorphic path must perform an equivalent check. BUG=chromium:594955 LOG=n R=verwaest@chromium.org Review URL: https://codereview.chromium.org/1806543002 Cr-Commit-Position: refs/heads/master@{#34807}
84dd29bb · jkummerow · Commit bot · 8a809501 · 84dd29bb · 84dd29bb
Commit 84dd29bb authored Mar 16, 2016 by jkummerow Committed by Commit bot Mar 16, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 1 deletion

ic.cc src/ic/ic.cc +9 -1

regress-crbug-594955.js test/mjsunit/regress/regress-crbug-594955.js +11 -0

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1288,10 +1288,10 @@ static Handle<Object> TryConvertKey(Handle<Object> key, Isolate* isolate) {
 Handle<Code> KeyedLoadIC::LoadElementStub(Handle<HeapObject> receiver) {
  Handle<Code> null_handle;
  Handle<Map> receiver_map(receiver->map(), isolate());
+  DCHECK(receiver_map->instance_type() != JS_VALUE_TYPE);  // Checked by caller.
  MapHandleList target_receiver_maps;
  TargetMaps(&target_receiver_maps);

-
  if (target_receiver_maps.length() == 0) {
    Handle<Code> handler =
        PropertyICCompiler::ComputeKeyedLoadMonomorphicHandler(
@@ -1300,6 +1300,14 @@ Handle<Code> KeyedLoadIC::LoadElementStub(Handle<HeapObject> receiver) {
    return null_handle;
  }

+  for (int i = 0; i < target_receiver_maps.length(); i++) {
+    if (!target_receiver_maps.at(i).is_null() &&
+        target_receiver_maps.at(i)->instance_type() == JS_VALUE_TYPE) {
+      TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "JSValue");
+      return megamorphic_stub();
+    }
+  }
+
  // The first time a receiver is seen that is a transitioned version of the
  // previous monomorphic receiver type, assume the new ElementsKind is the
  // monomorphic type. This benefits global arrays that only transition

--- a/test/mjsunit/regress/regress-crbug-594955.js
+++ b/test/mjsunit/regress/regress-crbug-594955.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function g(s, key) { return s[key]; }
+
+assertEquals(g(new String("a"), "length"), 1);
+assertEquals(g(new String("a"), "length"), 1);
+assertEquals(g("a", 32), undefined);
+assertEquals(g("a", "length"), 1);
+assertEquals(g(new String("a"), "length"), 1);