[ic] Ensure state of load/store ICs always progresses.

... even when a receiver is not an object. BUG=v8:5697 Review-Url: https://codereview.chromium.org/2548753003 Cr-Commit-Position: refs/heads/master@{#41458}

[ic] Ensure state of load/store ICs always progresses.
... even when a receiver is not an object. BUG=v8:5697 Review-Url: https://codereview.chromium.org/2548753003 Cr-Commit-Position: refs/heads/master@{#41458}
e7a51fff · ishell · Commit bot · 6e2bb997 · e7a51fff · e7a51fff
Commit e7a51fff authored Dec 02, 2016 by ishell Committed by Commit bot Dec 02, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 0 deletions

counters.h src/counters.h +2 -0

ic.cc src/ic/ic.cc +14 -0

regress-v8-5697.js test/mjsunit/regress/regress-v8-5697.js +26 -0

No files found.
--- a/src/counters.h
+++ b/src/counters.h
@@ -783,6 +783,7 @@ class RuntimeCallTimer final {
  V(LoadIC_LoadNormal)                           \
  V(LoadIC_LoadScriptContextFieldStub)           \
  V(LoadIC_LoadViaGetter)                        \
+  V(LoadIC_NonReceiver)                          \
  V(LoadIC_Premonomorphic)                       \
  V(LoadIC_SlowStub)                             \
  V(LoadIC_StringLengthStub)                     \
@@ -794,6 +795,7 @@ class RuntimeCallTimer final {
  V(StoreIC_HandlerCacheHit_Accessor)            \
  V(StoreIC_HandlerCacheHit_Data)                \
  V(StoreIC_HandlerCacheHit_Transition)          \
+  V(StoreIC_NonReceiver)                         \
  V(StoreIC_Premonomorphic)                      \
  V(StoreIC_SlowStub)                            \
  V(StoreIC_StoreCallback)                       \

--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -620,6 +620,13 @@ MaybeHandle<Object> LoadIC::Load(Handle<Object> object, Handle<Name> name) {
  // If the object is undefined or null it's illegal to try to get any
  // of its properties; throw a TypeError in that case.
  if (object->IsUndefined(isolate()) || object->IsNull(isolate())) {
+    if (FLAG_use_ic && state() != UNINITIALIZED && state() != PREMONOMORPHIC) {
+      // Ensure the IC state progresses.
+      TRACE_HANDLER_STATS(isolate(), LoadIC_NonReceiver);
+      update_receiver_map(object);
+      PatchCache(name, slow_stub());
+      TRACE_IC("LoadIC", name);
+    }
    return TypeError(MessageTemplate::kNonObjectPropertyLoad, object, name);
  }

@@ -1820,6 +1827,13 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
  // If the object is undefined or null it's illegal to try to set any
  // properties on it; throw a TypeError in that case.
  if (object->IsUndefined(isolate()) || object->IsNull(isolate())) {
+    if (FLAG_use_ic && state() != UNINITIALIZED && state() != PREMONOMORPHIC) {
+      // Ensure the IC state progresses.
+      TRACE_HANDLER_STATS(isolate(), StoreIC_NonReceiver);
+      update_receiver_map(object);
+      PatchCache(name, slow_stub());
+      TRACE_IC("StoreIC", name);
+    }
    return TypeError(MessageTemplate::kNonObjectPropertyStore, object, name);
  }


--- a/test/mjsunit/regress/regress-v8-5697.js
+++ b/test/mjsunit/regress/regress-v8-5697.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function load(o) { return o.x; }
+
+for (var x = 0; x < 1000; ++x) {
+  load({x});
+  load({x});
+  try { load(); } catch (e) { }
+}
+
+assertOptimized(load);
+
+
+function store(o) { o.x = -1; }
+
+for (var x = 0; x < 1000; ++x) {
+  store({x});
+  store({x});
+  try { store(); } catch (e) { }
+}
+
+assertOptimized(store);