1. 22 Oct, 2014 1 commit
  2. 06 Nov, 2013 1 commit
    • mvstanton@chromium.org's avatar
      Correct handling of arrays with callbacks in the prototype chain. · cec8548d
      mvstanton@chromium.org authored
      Our generic KeyedStoreIC doesn't handle the case when a callback is
      set on array elements in the prototype chain of the object, nor do
      we recognize that we need to avoid the monomorphic case if these
      callbacks exist.
      
      This CL addresses the issue by looking for dictionary elements in
      the prototype chain on IC misses and crankshaft element store
      instructions. When found, the generic IC is used. The generic IC is
      changed to go to the runtime in this case too.
      
      In general, keyed loads are immune from this problem because they
      won't return the hole: discovery of the hole goes to the runtime where
      the callback will be found in the prototype chain. Double array loads
      in crankshaft can return the hole but only if the prototype chain is
      unaltered (we will catch such alterations).
      
      Includes the following patch as well (already reviewed by bmeurer):
      Performance regression found in test regress-2185-2.js. The problem was
      that the bailout method for TransitionAndStoreStub was not performing
      the appropriate transition.
      
      (Review URL for the ElementsTransitionAndStoreIC_Miss change:
      https://codereview.chromium.org/26911007)
      
      R=danno@chromium.org
      
      Review URL: https://codereview.chromium.org/35413006
      
      git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
      cec8548d