Reviewers: Toon Verwaest,
Message:
PTAL. Let me know if you have an idea for a better fix.
Description:
Fix ASSERT violation when BinaryOpIC::Transition recurses into itself
BUG=chromium:352586
LOG=n
Please review this at https://codereview.chromium.org/201313002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+14, -13 lines):
M src/ic.h
M src/ic.cc
A + test/mjsunit/regress/regress-crbug-352586.js
Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index
f1e3c5539d64fbd9f74cc0de671edc62a2cb3db6..583ab3b0aae1fce986f3ee29998caa47c34fce50
100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -2404,8 +2404,9 @@ MaybeObject*
BinaryOpIC::Transition(Handle<AllocationSite> allocation_site,
isolate(), function, left, 1, &right, &caught_exception);
if (caught_exception) return Failure::Exception();
- // Compute the new state.
- State old_state = state;
+ // Compute the new state. Read it again from raw_target because the
+ // call above might have modified it.
+ State old_state(raw_target()->extra_ic_state());
state.Update(left, right, result);
// Check if we have a string operation here.
Index: src/ic.h
diff --git a/src/ic.h b/src/ic.h
index
7a9d7fbb5390929f7fa42388ad866ce1077fe44d..85bd17132eb0c1a190f5b77efadbe5b9f7a8a874
100644
--- a/src/ic.h
+++ b/src/ic.h
@@ -247,10 +247,12 @@ class IC {
extra_ic_state_ = state;
}
- private:
+ protected:
Code* raw_target() const {
return GetTargetAtAddress(address(), constant_pool());
}
+
+ private:
inline ConstantPoolArray* constant_pool() const;
inline ConstantPoolArray* raw_constant_pool() const;
Index: test/mjsunit/regress/regress-crbug-352586.js
diff --git a/test/mjsunit/regress/regress-350865.js
b/test/mjsunit/regress/regress-crbug-352586.js
similarity index 53%
copy from test/mjsunit/regress/regress-350865.js
copy to test/mjsunit/regress/regress-crbug-352586.js
index
74234db8842929a57d93a10cda0f62078f014845..2210480990b30e5e899030e6588a29a03a56a1f3
100644
--- a/test/mjsunit/regress/regress-350865.js
+++ b/test/mjsunit/regress/regress-crbug-352586.js
@@ -2,16 +2,14 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-// Flags: --stress-compaction --stack-size=150
+var a = {};
-/\2/.test("1");
-
-function rec() {
- try {
- rec();
- } catch(e) {
- /\2/.test("1");
- }
+function getter() {
+ do {
+ return a + 1;
+ } while (false);
}
-rec();
+a.__proto__ = Error("");
+a.__defineGetter__('message', getter);
+a.message;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
