Fix LoadGlobalIC for cleared WeakCells

BUG=chromium:702793 Change-Id: Ia52823968a757f8f7fc8802deab60f570ffdb58c Reviewed-on: https://chromium-review.googlesource.com/456280Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#43920}

Fix LoadGlobalIC for cleared WeakCells
BUG=chromium:702793 Change-Id: Ia52823968a757f8f7fc8802deab60f570ffdb58c Reviewed-on: https://chromium-review.googlesource.com/456280Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#43920}
f89db5d2 · Jakob Kummerow · Commit Bot · 2bcd3cbb · f89db5d2 · f89db5d2
Commit f89db5d2 authored Mar 17, 2017 by Jakob Kummerow Committed by Commit Bot Mar 18, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 9 deletions

accessor-assembler.cc src/ic/accessor-assembler.cc +8 -9

regress-crbug-702793.js test/mjsunit/regress/regress-crbug-702793.js +19 -0

No files found.
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@@ -497,10 +497,10 @@ void AccessorAssembler::HandleLoadICProtoHandlerCase(

    Bind(&load_from_cached_holder);
    {
-      Node* holder = LoadWeakCellValue(maybe_holder_cell);
-      // The |holder| is guaranteed to be alive at this point since we passed
-      // both the receiver map check and the validity cell check.
-      CSA_ASSERT(this, WordNotEqual(holder, IntPtrConstant(0)));
+      // For regular holders, having passed the receiver map check and the
+      // validity cell check implies that |holder| is alive. However, for
+      // global object receivers, the |maybe_holder_cell| may be cleared.
+      Node* holder = LoadWeakCellValue(maybe_holder_cell, miss);

      var_holder->Bind(holder);
      Goto(&done);
@@ -571,11 +571,10 @@ Node* AccessorAssembler::EmitLoadICProtoArrayCheck(const LoadICParameters* p,
  GotoIf(WordEqual(maybe_holder_cell, NullConstant()), &done);

  {
-    var_holder.Bind(LoadWeakCellValue(maybe_holder_cell));
-    // The |holder| is guaranteed to be alive at this point since we passed
-    // the receiver map check, the validity cell check and the prototype chain
-    // check.
-    CSA_ASSERT(this, WordNotEqual(var_holder.value(), IntPtrConstant(0)));
+    // For regular holders, having passed the receiver map check and the
+    // validity cell check implies that |holder| is alive. However, for
+    // global object receivers, the |maybe_holder_cell| may be cleared.
+    var_holder.Bind(LoadWeakCellValue(maybe_holder_cell, miss));
    Goto(&done);
  }


--- a/test/mjsunit/regress/regress-crbug-702793.js
+++ b/test/mjsunit/regress/regress-crbug-702793.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+prop = "property";
+
+function f(o) {
+  return o.prop;
+}
+
+f(this);
+f(this);
+
+delete this.prop;
+
+gc();
+assertEquals(undefined, f(this));