[ic] Ignore the prototype chain for typed array elements.

Elements on typed arrays are never looked up in the prototype chain, so there's no point in depending on the prototype chain validity cells for keyed stores to typed arrays. You just risk going megamorphic for unrelated changes. Bug: v8:6999 Change-Id: Id831de42a2c9eadfd5317ee9b5dbfaa207f236fe Reviewed-on: https://chromium-review.googlesource.com/737789Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48898}

[ic] Ignore the prototype chain for typed array elements.
Elements on typed arrays are never looked up in the prototype chain, so there's no point in depending on the prototype chain validity cells for keyed stores to typed arrays. You just risk going megamorphic for unrelated changes. Bug: v8:6999 Change-Id: Id831de42a2c9eadfd5317ee9b5dbfaa207f236fe Reviewed-on: https://chromium-review.googlesource.com/737789Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48898}
dd0a37f2 · Benedikt Meurer · Commit Bot · d74199d5 · dd0a37f2
Commit dd0a37f2 authored Oct 25, 2017 by Benedikt Meurer Committed by Commit Bot Oct 25, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

ic.cc src/ic/ic.cc +1 -0

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1708,6 +1708,7 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(
    stub =
        StoreFastElementStub(isolate(), is_jsarray, elements_kind, store_mode)
            .GetCode();
+    if (receiver_map->has_fixed_typed_array_elements()) return stub;
  } else {
    TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_StoreElementStub);
    DCHECK_EQ(DICTIONARY_ELEMENTS, elements_kind);