Commit f89db5d2 authored by Jakob Kummerow's avatar Jakob Kummerow Committed by Commit Bot

Fix LoadGlobalIC for cleared WeakCells

BUG=chromium:702793

Change-Id: Ia52823968a757f8f7fc8802deab60f570ffdb58c
Reviewed-on: https://chromium-review.googlesource.com/456280Reviewed-by: 's avatarAdam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43920}
parent 2bcd3cbb
...@@ -497,10 +497,10 @@ void AccessorAssembler::HandleLoadICProtoHandlerCase( ...@@ -497,10 +497,10 @@ void AccessorAssembler::HandleLoadICProtoHandlerCase(
Bind(&load_from_cached_holder); Bind(&load_from_cached_holder);
{ {
Node* holder = LoadWeakCellValue(maybe_holder_cell); // For regular holders, having passed the receiver map check and the
// The |holder| is guaranteed to be alive at this point since we passed // validity cell check implies that |holder| is alive. However, for
// both the receiver map check and the validity cell check. // global object receivers, the |maybe_holder_cell| may be cleared.
CSA_ASSERT(this, WordNotEqual(holder, IntPtrConstant(0))); Node* holder = LoadWeakCellValue(maybe_holder_cell, miss);
var_holder->Bind(holder); var_holder->Bind(holder);
Goto(&done); Goto(&done);
...@@ -571,11 +571,10 @@ Node* AccessorAssembler::EmitLoadICProtoArrayCheck(const LoadICParameters* p, ...@@ -571,11 +571,10 @@ Node* AccessorAssembler::EmitLoadICProtoArrayCheck(const LoadICParameters* p,
GotoIf(WordEqual(maybe_holder_cell, NullConstant()), &done); GotoIf(WordEqual(maybe_holder_cell, NullConstant()), &done);
{ {
var_holder.Bind(LoadWeakCellValue(maybe_holder_cell)); // For regular holders, having passed the receiver map check and the
// The |holder| is guaranteed to be alive at this point since we passed // validity cell check implies that |holder| is alive. However, for
// the receiver map check, the validity cell check and the prototype chain // global object receivers, the |maybe_holder_cell| may be cleared.
// check. var_holder.Bind(LoadWeakCellValue(maybe_holder_cell, miss));
CSA_ASSERT(this, WordNotEqual(var_holder.value(), IntPtrConstant(0)));
Goto(&done); Goto(&done);
} }
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
prop = "property";
function f(o) {
return o.prop;
}
f(this);
f(this);
delete this.prop;
gc();
assertEquals(undefined, f(this));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment