[GC] Align behavior of JSProxy with JSObject when embedded in optimized code

With --harmony-proxies enabled, embedded pointers in optimized code can point to
a JSProxy (via a cell). Since JSProxy can morph into JSObject we need to align
the expectations of weak vs strong refs.

With this patch we also treat JSPRoxy as weak ref (like JSObject) and therefore
properly record a dependency on it, so that once the cell pointing to it becomes
unreachable we deoptimize the corresponding code.

BUG=v8:4359
LOG=N

Review URL: https://codereview.chromium.org/1270393003

Cr-Commit-Position: refs/heads/master@{#30067}

diff --git a/src/objects-inl.h b/src/objects-inl.h
index d8175c7..21ad849 100644 (file)
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4735,7 +4735,8 @@ bool Code::IsWeakObjectInOptimizedCode(Object* object) {
   } else if (object->IsPropertyCell()) {
     object = PropertyCell::cast(object)->value();
   }
-  if (object->IsJSObject()) {
+  if (object->IsJSObject() || object->IsJSProxy()) {
+    // JSProxy is handled like JSObject because it can morph into one.
     return FLAG_weak_embedded_objects_in_optimized_code;
   }
   if (object->IsFixedArray()) {