Skip to content
Permalink
Browse files

Don't look at abandoned prototype maps when looking for root maps

Bug: chromium:757199, chromium:758773, chromium:758821
Change-Id: I70644853770501b13992bd7bf78d168ca2308d64
Reviewed-on: https://chromium-review.googlesource.com/635223
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47603}
  • Loading branch information...
camillobruni authored and Commit Bot committed Aug 25, 2017
1 parent c8543c1 commit 8a7ce927a685d4007e02298881d85c7d5f273777
@@ -2344,10 +2344,12 @@ bool JSNativeContextSpecialization::ExtractReceiverMaps(
// Try to filter impossible candidates based on inferred root map.
Handle<Map> receiver_map;
if (InferReceiverRootMap(receiver).ToHandle(&receiver_map)) {
DCHECK(!receiver_map->is_abandoned_prototype_map());
receiver_maps->erase(
std::remove_if(receiver_maps->begin(), receiver_maps->end(),
[receiver_map](const Handle<Map>& map) {
return map->FindRootMap() != *receiver_map;
return map->is_abandoned_prototype_map() ||
map->FindRootMap() != *receiver_map;
}),
receiver_maps->end());
}
@@ -0,0 +1,31 @@
/// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

var obj1 = {};
var obj2 = {};

function h() {}

h.prototype = obj2;

function g(v) {
v.constructor;
}
function f() {
g(obj1);
}

obj1.x = 0;
f();

obj1.__defineGetter__("x", function() {});

g(obj2);

obj2.y = 0;

%OptimizeFunctionOnNextCall(f);
f();
@@ -0,0 +1,6 @@
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

(0).__defineGetter__(0, function() { });
Number.prototype[0] = "string";

0 comments on commit 8a7ce92

Please sign in to comment.
You can’t perform that action at this time.