review.tizen.org Git - platform/upstream/v8.git/commit

Make optimized Function.prototype.apply safe for non-JSObject first arguments.

If we have a property access of the form this.x, where the access site sees
the global object, we can specialize the IC stub so that it performs a map
check without first performing a heap object check.

Ensure that we do not get in JS code with a non-JSObject this value by
deoptimizing at Function.prototype.apply if the first argument is not a
JSObject.

BUG=v8:1128

Review URL: http://codereview.chromium.org/6463025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6707 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

author	kmillikin@chromium.org <kmillikin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Wed, 9 Feb 2011 16:43:23 +0000 (16:43 +0000)
committer	kmillikin@chromium.org <kmillikin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Wed, 9 Feb 2011 16:43:23 +0000 (16:43 +0000)
commit	dc91c4218bfc3be5176ca59b8927258e0676a010
tree	4e5ec2ba48a667595663b026b0b8ae1e77927a39	tree \| snapshot
parent	e0422e5401351490652070270e0d31b853761acc	commit \| diff

src/ia32/lithium-codegen-ia32.cc		diff \| blob \| history
src/ia32/lithium-ia32.cc		diff \| blob \| history
src/ia32/lithium-ia32.h		diff \| blob \| history
test/mjsunit/compiler/regress-arguments.js		diff \| blob \| history