[compiler] Add synchronization for background prototype chain walk

Bug: v8:7790 Change-Id: I1c0275401671bb85d92afd2910618a0a345c26c9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2210233 Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68519}

[compiler] Add synchronization for background prototype chain walk
Bug: v8:7790 Change-Id: I1c0275401671bb85d92afd2910618a0a345c26c9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2210233 Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68519}
879bb039 · Santiago Aboy Solanes · Commit Bot · f569be61 · 879bb039
Commit 879bb039 authored Jun 24, 2020 by Santiago Aboy Solanes Committed by Commit Bot Jun 24, 2020
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 7 deletions

access-info.cc src/compiler/access-info.cc +8 -7

No files found.
--- a/src/compiler/access-info.cc
+++ b/src/compiler/access-info.cc
@@ -564,7 +564,8 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(
    // Walk up the prototype chain.
    MapRef(broker(), map).SerializePrototype();
-    if (!map->prototype().IsJSObject()) {
+    Handle<HeapObject> map_prototype(map->prototype(), isolate());
+    if (!map_prototype->IsJSObject()) {
      // Perform the implicit ToObject for primitives here.
      // Implemented according to ES6 section 7.3.2 GetV (V, P).
      Handle<JSFunction> constructor;
@@ -572,8 +573,9 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(
              map, broker()->target_native_context().object())
              .ToHandle(&constructor)) {
        map = handle(constructor->initial_map(), isolate());
-        DCHECK(map->prototype().IsJSObject());
+        map_prototype = handle(map->prototype(), isolate());
-      } else if (map->prototype().IsNull(isolate())) {
+        DCHECK(map_prototype->IsJSObject());
+      } else if (map_prototype->IsNull(isolate())) {
        // Store to property not found on the receiver or any prototype, we need
        // to transition to a new data property.
        // Implemented according to ES6 section 9.1.9 [[Set]] (P, V, Receiver)
@@ -588,10 +590,9 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(
        return PropertyAccessInfo::Invalid(zone());
      }
    }
-    Handle<JSObject> map_prototype(JSObject::cast(map->prototype()), isolate());
+    map = handle(map_prototype->synchronized_map(), isolate());
-    CHECK(!map_prototype->map().is_deprecated());
+    CHECK(!map->is_deprecated());
-    map = handle(map_prototype->map(), isolate());
+    holder = Handle<JSObject>::cast(map_prototype);
-    holder = map_prototype;
    if (!CanInlinePropertyAccess(map)) {
      return PropertyAccessInfo::Invalid(zone());