Don't generate keyed store ICs for global proxies.

BUG=352983
LOG=y
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/197873025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20011 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/ic.cc b/src/ic.cc
index a3f99e4..5392fbc 100644 (file)
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1687,7 +1687,9 @@ MaybeObject* KeyedStoreIC::Store(Handle<Object> object,
                                   JSReceiver::MAY_BE_STORE_FROM_KEYED);
     if (maybe_object->IsFailure()) return maybe_object;
   } else {
-    bool use_ic = FLAG_use_ic && !object->IsAccessCheckNeeded() &&
+    bool use_ic = FLAG_use_ic &&
+        !object->IsAccessCheckNeeded() &&
+        !object->IsJSGlobalProxy() &&
         !(object->IsJSObject() &&
           JSObject::cast(*object)->map()->is_observed());
     if (use_ic && !object->IsSmi()) {

diff --git a/test/mjsunit/regress/regress-keyed-store-global.js b/test/mjsunit/regress/regress-keyed-store-global.js
new file mode 100644 (file)
index 0000000..1b12777
--- /dev/null
+++ b/test/mjsunit/regress/regress-keyed-store-global.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap
+function f(a) {
+  for (var i = 0; i < 256; i++) a[i] = i;
+}
+
+f([]);
+f([]);
+f(this);