Disallow updates to ic_with_type_info_count with negative values.

R=jkummerow@chromium.org Review URL: https://chromiumcodereview.appspot.com/10883064 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12386 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Disallow updates to ic_with_type_info_count with negative values.
R=jkummerow@chromium.org Review URL: https://chromiumcodereview.appspot.com/10883064 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12386 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
b588b094 · ulan@chromium.org · efb53e14 · b588b094
Commit b588b094 authored Aug 27, 2012 by ulan@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 4 deletions

objects-inl.h src/objects-inl.h +11 -4

No files found.
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -5241,10 +5241,17 @@ int TypeFeedbackInfo::ic_with_type_info_count() {

 void TypeFeedbackInfo::change_ic_with_type_info_count(int delta) {
  int value = Smi::cast(READ_FIELD(this, kStorage2Offset))->value();
-  int current_count = ICsWithTypeInfoCountField::decode(value);
-  value =
-      ICsWithTypeInfoCountField::update(value, current_count + delta);
-  WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value));
+  int new_count = ICsWithTypeInfoCountField::decode(value) + delta;
+  // We can get negative count here when the type-feedback info is
+  // shared between two code objects. The can only happen when
+  // the debugger made a shallow copy of code object (see Heap::CopyCode).
+  // Since we do not optimize when the debugger is active, we can skip
+  // this counter update.
+  if (new_count >= 0) {
+    new_count &= ICsWithTypeInfoCountField::kMask;
+    value = ICsWithTypeInfoCountField::update(value, new_count);
+    WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value));
+  }
 }