Rely on the map being a dictionary map rather than not having a backpointer

BUG=chromium:500173
LOG=n

Review URL: https://codereview.chromium.org/1194513003

Cr-Commit-Position: refs/heads/master@{#29074}

diff --git a/src/lookup.cc b/src/lookup.cc
index 6a26663..b91ad4c 100644 (file)
--- a/src/lookup.cc
+++ b/src/lookup.cc
@@ -236,7 +236,7 @@ void LookupIterator::PrepareTransitionToDataProperty(
         Handle<GlobalObject>::cast(receiver), name());
     DCHECK(cell->value()->IsTheHole());
     transition_ = cell;
-  } else if (transition->GetBackPointer()->IsMap()) {
+  } else if (!transition->is_dictionary_map()) {
     property_details_ = transition->GetLastDescriptorDetails();
     has_property_ = true;
   }

diff --git a/src/lookup.h b/src/lookup.h
index c7a4a36..c2b9807 100644 (file)
--- a/src/lookup.h
+++ b/src/lookup.h
@@ -207,7 +207,8 @@ class LookupIterator final BASE_EMBEDDED {
   bool IsCacheableTransition() {
     if (state_ != TRANSITION) return false;
     return transition_->IsPropertyCell() ||
-           transition_map()->GetBackPointer()->IsMap();
+           (!transition_map()->is_dictionary_map() &&
+            transition_map()->GetBackPointer()->IsMap());
   }
   void ApplyTransitionToDataProperty();
   void ReconfigureDataProperty(Handle<Object> value,

diff --git a/test/mjsunit/regress/regress-500173.js b/test/mjsunit/regress/regress-500173.js
new file mode 100644 (file)
index 0000000..b7083b2
--- /dev/null
+++ b/test/mjsunit/regress/regress-500173.js
@@ -0,0 +1,12 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f(a) {
+  a.foo = {};
+  a[0] = 1;
+  a.__defineGetter__('foo', function() {});
+  a[0] = {};
+  a.bar = 0;
+}
+f(new Array());