Harden %FunctionBindArguments wrt optimized code cache.

R=jkummerow@chromium.org
BUG=387627
LOG=N

Review URL: https://codereview.chromium.org/345463005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21936 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/compiler.cc b/src/compiler.cc
index a03bbf1ad9f34048bb9c4ca3fc036048e9c0592f..1d6fb1ff1c95ad81ac91dd68ef53970e2711fa2f 100644 (file)
--- a/src/compiler.cc
+++ b/src/compiler.cc
@@ -1041,6 +1041,8 @@ MUST_USE_RESULT static MaybeHandle<Code> GetCodeFromOptimizedCodeMap(
     BailoutId osr_ast_id) {
   if (FLAG_cache_optimized_code) {
     Handle<SharedFunctionInfo> shared(function->shared());
+    // Bound functions are not cached.
+    if (shared->bound()) return MaybeHandle<Code>();
     DisallowHeapAllocation no_gc;
     int index = shared->SearchOptimizedCodeMap(
         function->context()->native_context(), osr_ast_id);
@@ -1070,6 +1072,8 @@ static void InsertCodeIntoOptimizedCodeMap(CompilationInfo* info) {
   if (FLAG_cache_optimized_code) {
     Handle<JSFunction> function = info->closure();
     Handle<SharedFunctionInfo> shared(function->shared());
+    // Do not cache bound functions.
+    if (shared->bound()) return;
     Handle<FixedArray> literals(function->literals());
     Handle<Context> native_context(function->context()->native_context());
     SharedFunctionInfo::AddToOptimizedCodeMap(

diff --git a/test/mjsunit/regress/regress-crbug-387627.js b/test/mjsunit/regress/regress-crbug-387627.js
new file mode 100644 (file)
index 0000000..5c6389b
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-387627.js
@@ -0,0 +1,13 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {}
+%FunctionBindArguments(f, {}, undefined, 1);
+
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();