Don't inline Array.shift() if receiver map is not extensible.

TEST=mjsunit/regress/regress-crbug-405517
BUG=405517
LOG=y
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/491863002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23255 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 59d3bb9..f4e905d 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8343,7 +8343,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
       ElementsKind kind = receiver_map->elements_kind();
       if (!IsFastElementsKind(kind)) return false;
       if (receiver_map->is_observed()) return false;
-      DCHECK(receiver_map->is_extensible());
+      if (!receiver_map->is_extensible()) return false;
 
       // If there may be elements accessors in the prototype chain, the fast
       // inlined version can't be used.

diff --git a/test/mjsunit/regress/regress-crbug-405517.js b/test/mjsunit/regress/regress-crbug-405517.js
new file mode 100644 (file)
index 0000000..36c3f4f
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-405517.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --gc-interval=203
+
+function f() {
+ var e = [0];
+ %PreventExtensions(e);
+ for (var i = 0; i < 4; i++) e.shift();
+}
+
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();