Do not set target in deoptimized code in keyed store IC.

author Jaroslav Sevcik <jarin@chromium.org>

Mon, 9 Mar 2015 10:10:59 +0000 (11:10 +0100)

committer Jaroslav Sevcik <jarin@chromium.org>

Mon, 9 Mar 2015 10:11:13 +0000 (10:11 +0000)
author Jaroslav Sevcik <jarin@chromium.org>
Mon, 9 Mar 2015 10:10:59 +0000 (11:10 +0100)
committer Jaroslav Sevcik <jarin@chromium.org>
Mon, 9 Mar 2015 10:11:13 +0000 (10:11 +0000)
diff --git a/src/ic/ic.cc b/src/ic/ic.cc

index f896d16..41f2a33 100644 (file)
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2181,7 +2181,9 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
      TRACE_GENERIC_IC(isolate(), "KeyedStoreIC", "slow stub");
    }
    DCHECK(!stub.is_null());
-  set_target(*stub);
+  if (!AddressIsDeoptimizedCode()) {
+    set_target(*stub);
+  }
    TRACE_IC("StoreIC", key);
  
    return store_handle;
diff --git a/test/mjsunit/regress/regress-460937.js b/test/mjsunit/regress/regress-460937.js

new file mode 100644 (file)

index 0000000..cd57f93
--- /dev/null
+++ b/test/mjsunit/regress/regress-460937.js
@@ -0,0 +1,19 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  var a = new Array(100000);
+  var i = 0;
+  while (!%HasFastDoubleElements(a)) {
+    a[i] = i;
+    i += 0.1;
+  }
+  a[1] = 1.5;
+}
+
+f();
+%OptimizeFunctionOnNextCall(f);
+f();
author	Jaroslav Sevcik <jarin@chromium.org>
	Mon, 9 Mar 2015 10:10:59 +0000 (11:10 +0100)
committer	Jaroslav Sevcik <jarin@chromium.org>
	Mon, 9 Mar 2015 10:11:13 +0000 (10:11 +0000)
src/ic/ic.cc		patch \| blob \| history
test/mjsunit/regress/regress-460937.js	[new file with mode: 0644]	patch \| blob