Reviewers: Igor Sheludko,
Message:
ptal
Description:
Properly handle missing from normalized stores with keys convertible to
array
indices
BUG=chromium:509961
LOG=n
Please review this at https://codereview.chromium.org/1241613003/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+27, -3 lines):
M src/ic/ic.cc
A + test/mjsunit/regress/regress-509961.js
Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index
0c5867d2a33c52aa9f46c82c76f2ddc61c008937..57bfb44c8a7d4639a53406bc0d8fb90905737ca7
100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1492,6 +1492,27 @@ bool StoreIC::LookupForWrite(LookupIterator* it,
Handle<Object> value,
MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name>
name,
Handle<Object> value,
JSReceiver::StoreFromKeyed store_mode) {
+ // Check if the name is trivially convertible to an index and set the
element.
+ uint32_t index;
+ if (kind() == Code::KEYED_STORE_IC && name->AsArrayIndex(&index)) {
+ // Rewrite to the generic keyed load stub.
+ if (FLAG_use_ic) {
+ if (UseVector()) {
+ ConfigureVectorState(MEGAMORPHIC);
+ } else if (!AddressIsDeoptimizedCode()) {
+ set_target(*megamorphic_stub());
+ }
+ TRACE_IC("StoreIC", name);
+ TRACE_GENERIC_IC(isolate(), "StoreIC", "name as array index");
+ }
+ Handle<Object> result;
+ ASSIGN_RETURN_ON_EXCEPTION(
+ isolate(), result,
+ Object::SetElement(isolate(), object, index, value,
language_mode()),
+ Object);
+ return result;
+ }
+
if (object->IsGlobalObject() && name->IsString()) {
// Look up in script context table.
Handle<String> str_name = Handle<String>::cast(name);
Index: test/mjsunit/regress/regress-509961.js
diff --git a/test/message/arrow-param-after-rest.js
b/test/mjsunit/regress/regress-509961.js
similarity index 57%
copy from test/message/arrow-param-after-rest.js
copy to test/mjsunit/regress/regress-509961.js
index
0fade6c31d3cb6c2e82fb7027628fdfae96e1962..d28bc8a268dcba150b511f02d17672989176e420
100644
--- a/test/message/arrow-param-after-rest.js
+++ b/test/mjsunit/regress/regress-509961.js
@@ -1,7 +1,10 @@
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-//
-// Flags: --harmony-rest-parameters --harmony-arrow-functions
-(...x, y) => 10
+var o = { x: 0 };
+delete o.x;
+function store(o, p, v) { o[p] = v; }
+store(o, "x", 1);
+store(o, "x", 1);
+store(o, "0", 1);
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
