Check is_simple_api_call before IsCrossContextLazyAccessorPair, accessor could be null

Bug: chromium:779367 Change-Id: I0d361ffc9be1e271e91ce81c3e5cf70697c0ac0b Reviewed-on: https://chromium-review.googlesource.com/749812Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49081}

Check is_simple_api_call before IsCrossContextLazyAccessorPair, accessor could be null
Bug: chromium:779367 Change-Id: I0d361ffc9be1e271e91ce81c3e5cf70697c0ac0b Reviewed-on: https://chromium-review.googlesource.com/749812Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49081}
b976b30b · Toon Verwaest · Commit Bot · a9a50dc9 · b976b30b · b976b30b
Commit b976b30b authored Nov 02, 2017 by Toon Verwaest Committed by Commit Bot Nov 02, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 1 deletion

access-info.cc src/compiler/access-info.cc +1 -1

regress-crbug-779367.js test/mjsunit/regress/regress-crbug-779367.js +17 -0

No files found.
--- a/src/compiler/access-info.cc
+++ b/src/compiler/access-info.cc
@@ -445,11 +445,11 @@ bool AccessInfoFactory::ComputePropertyAccessInfo(
              isolate());
          if (!accessor->IsJSFunction()) {
            CallOptimization optimization(accessor);
+            if (!optimization.is_simple_api_call()) return false;
            if (optimization.IsCrossContextLazyAccessorPair(*native_context_,
                                                            *map)) {
              return false;
            }
-            if (!optimization.is_simple_api_call()) return false;

            CallOptimization::HolderLookup lookup;
            holder =

--- a/test/mjsunit/regress/regress-crbug-779367.js
+++ b/test/mjsunit/regress/regress-crbug-779367.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function g(o) {
+  return o.x;
+}
+
+Object.defineProperty(g, 'x', {set(v) {}});
+
+g.prototype = 1;
+g(g);
+g(g);
+%OptimizeFunctionOnNextCall(g);
+g(g);