Reviewers: Vyacheslav Egorov, Description: Fix bug in compare IC. BUG=2291 This is a back port of r12313 to the 3.11 branch.
Please review this at https://chromiumcodereview.appspot.com/10857055/ SVN Base: http://v8.googlecode.com/svn/branches/3.11/ Affected files: M src/code-stubs.cc M src/heap.h M src/version.cc A test/mjsunit/regress/regress-2291.js Index: src/code-stubs.cc =================================================================== --- src/code-stubs.cc (revision 12326) +++ src/code-stubs.cc (working copy) @@ -172,7 +172,9 @@ Isolate* isolate = new_object->GetIsolate(); Factory* factory = isolate->factory(); return Map::UpdateCodeCache(known_map_, - factory->compare_ic_symbol(), + strict() ? + factory->strict_compare_ic_symbol() : + factory->compare_ic_symbol(), new_object); } @@ -183,10 +185,16 @@ Code::Flags flags = Code::ComputeFlags( static_cast<Code::Kind>(GetCodeKind()), UNINITIALIZED); + ASSERT(op_ == Token::EQ || op_ == Token::EQ_STRICT); Handle<Object> probe( - known_map_->FindInCodeCache(*factory->compare_ic_symbol(), flags)); + known_map_->FindInCodeCache( + strict() ? + *factory->strict_compare_ic_symbol() : + *factory->compare_ic_symbol(), + flags)); if (probe->IsCode()) { *code_out = Code::cast(*probe); + ASSERT(op_ == (*code_out)->compare_operation() + Token::EQ); return true; } return false; Index: src/heap.h =================================================================== --- src/heap.h (revision 12326) +++ src/heap.h (working copy) @@ -240,7 +240,8 @@ V(use_strict, "use strict") \ V(dot_symbol, ".") \ V(anonymous_function_symbol, "(anonymous function)") \ - V(compare_ic_symbol, ".compare_ic") \ + V(compare_ic_symbol, "==") \ + V(strict_compare_ic_symbol, "===") \ V(infinity_symbol, "Infinity") \ V(minus_infinity_symbol, "-Infinity") \ V(hidden_stack_trace_symbol, "v8::hidden_stack_trace") \ Index: src/version.cc =================================================================== --- src/version.cc (revision 12326) +++ src/version.cc (working copy) @@ -35,7 +35,7 @@ #define MAJOR_VERSION 3 #define MINOR_VERSION 11 #define BUILD_NUMBER 10 -#define PATCH_LEVEL 18 +#define PATCH_LEVEL 19 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) #define IS_CANDIDATE_VERSION 0 Index: test/mjsunit/regress/regress-2291.js =================================================================== --- test/mjsunit/regress/regress-2291.js (revision 0) +++ test/mjsunit/regress/regress-2291.js (revision 0) @@ -0,0 +1,36 @@ +// Copyright 2012 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +function StrictCompare(x) { return x === Object(x); } + +var obj = new Object(); +var obj2 = new Object(); +obj == obj; // Populate IC cache with non-strict comparison. + +StrictCompare(obj); // Set IC in StrictCompare from IC cache. + +assertFalse(StrictCompare('foo')); // Use == stub for === operation. -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
