Commit cf572694 authored by Michael Stanton's avatar Michael Stanton

Assert to protect against polymorphic string loads fires on valid stores.

BUG=435477
LOG=N
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/751513002

Cr-Commit-Position: refs/heads/master@{#25456}
parent 3d58b82a
...@@ -7106,7 +7106,9 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess( ...@@ -7106,7 +7106,9 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
MapHandleList possible_transitioned_maps(maps->length()); MapHandleList possible_transitioned_maps(maps->length());
for (int i = 0; i < maps->length(); ++i) { for (int i = 0; i < maps->length(); ++i) {
Handle<Map> map = maps->at(i); Handle<Map> map = maps->at(i);
DCHECK(!map->IsStringMap()); // Loads from strings or loads with a mix of string and non-string maps
// shouldn't be handled polymorphically.
DCHECK(access_type != LOAD || !map->IsStringMap());
ElementsKind elements_kind = map->elements_kind(); ElementsKind elements_kind = map->elements_kind();
if (CanInlineElementAccess(map) && IsFastElementsKind(elements_kind) && if (CanInlineElementAccess(map) && IsFastElementsKind(elements_kind) &&
elements_kind != GetInitialFastElementsKind()) { elements_kind != GetInitialFastElementsKind()) {
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var a = new Array(128);
function f(a, base) {
a[base] = 2;
}
f(a, undefined);
f("r12", undefined);
f(a, 0);
%OptimizeFunctionOnNextCall(f);
f(a, 0);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment