[turbofan] Check for nullptr maps.

ReduceJSStoreDataPropertyInLiteral should not reduce the monomorphic case if the map got deleted. This has been fixed before in the context of a larger commit, which was reverted. R=adamk@chromium.org, mvstanton@chromium.org, bmeurer@chromium.org BUG=v8:5873 Review-Url: https://codereview.chromium.org/2644733007 Cr-Commit-Position: refs/heads/master@{#42548}

[turbofan] Check for nullptr maps.
ReduceJSStoreDataPropertyInLiteral should not reduce the monomorphic case if the map got deleted. This has been fixed before in the context of a larger commit, which was reverted. R=adamk@chromium.org, mvstanton@chromium.org, bmeurer@chromium.org BUG=v8:5873 Review-Url: https://codereview.chromium.org/2644733007 Cr-Commit-Position: refs/heads/master@{#42548}
dd8881a5 · franzih · Commit bot · 73281702 · dd8881a5
Commit dd8881a5 authored Jan 20, 2017 by franzih Committed by Commit bot Jan 20, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +6 -0

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -1282,6 +1282,12 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreDataPropertyInLiteral(

  DCHECK_EQ(MONOMORPHIC, nexus.ic_state());

+  Map* map = nexus.FindFirstMap();
+  if (map == nullptr) {
+    // Maps are weakly held in the type feedback vector, we may not have one.
+    return NoChange();
+  }
+
  Handle<Map> receiver_map(nexus.FindFirstMap(), isolate());
  Handle<Name> cached_name =
      handle(Name::cast(nexus.GetFeedbackExtra()), isolate());