Commit e61add91 authored by jkummerow's avatar jkummerow Committed by Commit bot

[turbofan] Fix ReduceNamedAccess for detached global proxies

There is no guarantee that Map::GetConstructor() returns a JSFunction.
Specifically, detached global proxies return the |null| sentinel. So
we have to check the object type before casting to JSFunction.

BUG=chromium:694141

Review-Url: https://codereview.chromium.org/2739303003
Cr-Commit-Position: refs/heads/master@{#43727}
parent 12ffd366
......@@ -570,9 +570,11 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
if (receiver_maps.length() == 1) {
Handle<Map> receiver_map = receiver_maps.first();
if (receiver_map->IsJSGlobalProxyMap()) {
Context* receiver_context =
JSFunction::cast(receiver_map->GetConstructor())->native_context();
if (receiver_context == *native_context()) {
Object* maybe_constructor = receiver_map->GetConstructor();
// Detached global proxies have |null| as their constructor.
if (maybe_constructor->IsJSFunction() &&
JSFunction::cast(maybe_constructor)->native_context() ==
*native_context()) {
return ReduceGlobalAccess(node, receiver, value, name, access_mode,
index);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment