[turbofan] Fix Object.prototype.__proto__ getter reduction.

This fixes a corner-case where the call reduction of the aforementioned getter did not simulate the {ToObject} conversion of the receiver value as required by the spec. This caused the wrong prototype to be constant promoted (i.e. {null} instead of wrapper object prototype). R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-694709 BUG=chromium:694709 Change-Id: Idf3a37071949d9ddaf5ef43974570c06fd31c0c9 Reviewed-on: https://chromium-review.googlesource.com/445818Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#43376}

[turbofan] Fix Object.prototype.proto getter reduction.
This fixes a corner-case where the call reduction of the aforementioned getter did not simulate the {ToObject} conversion of the receiver value as required by the spec. This caused the wrong prototype to be constant promoted (i.e. {null} instead of wrapper object prototype). R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-694709 BUG=chromium:694709 Change-Id: Idf3a37071949d9ddaf5ef43974570c06fd31c0c9 Reviewed-on: https://chromium-review.googlesource.com/445818Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#43376}
beb94c5e · Michael Starzinger · Commit Bot · 2bc222b0 · beb94c5e · beb94c5e
Commit beb94c5e authored Feb 22, 2017 by Michael Starzinger Committed by Commit Bot Feb 22, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 5 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +8 -5

regress-crbug-694709.js test/mjsunit/regress/regress-crbug-694709.js +13 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -326,19 +326,22 @@ Reduction JSCallReducer::ReduceObjectPrototypeGetProto(Node* node) {
  // Try to determine the {receiver} map.
  ZoneHandleSet<Map> receiver_maps;
  if (NodeProperties::InferReceiverMaps(receiver, effect, &receiver_maps)) {
-    Handle<Object> receiver_prototype(receiver_maps[0]->prototype(), isolate());
+    Handle<Map> candidate_map(
+        receiver_maps[0]->GetPrototypeChainRootMap(isolate()));
+    Handle<Object> candidate_prototype(candidate_map->prototype(), isolate());

-    // Check if we can constant-fold the {receiver_prototype}.
+    // Check if we can constant-fold the {candidate_prototype}.
    for (size_t i = 0; i < receiver_maps.size(); ++i) {
-      Handle<Map> const receiver_map = receiver_maps[i];
+      Handle<Map> const receiver_map(
+          receiver_maps[i]->GetPrototypeChainRootMap(isolate()));
      if (receiver_map->IsJSProxyMap() ||
          receiver_map->has_hidden_prototype() ||
          receiver_map->is_access_check_needed() ||
-          receiver_map->prototype() != *receiver_prototype) {
+          receiver_map->prototype() != *candidate_prototype) {
        return NoChange();
      }
    }
-    Node* value = jsgraph()->Constant(receiver_prototype);
+    Node* value = jsgraph()->Constant(candidate_prototype);
    ReplaceWithValue(node, value);
    return Replace(value);
  }

--- a/test/mjsunit/regress/regress-crbug-694709.js
+++ b/test/mjsunit/regress/regress-crbug-694709.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo
+
+function f(primitive) {
+  return primitive.__proto__;
+}
+assertEquals(Symbol.prototype, f(Symbol()));
+assertEquals(Symbol.prototype, f(Symbol()));
+%OptimizeFunctionOnNextCall(f);
+assertEquals(Symbol.prototype, f(Symbol()));