Fix IC cache confusion on String.prototype.length

BUG=416416
LOG=N
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/587363002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24174 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 7f346a0..63c3799 100644 (file)
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -929,7 +929,14 @@ Handle<Code> IC::ComputeHandler(LookupIterator* lookup, Handle<Object> value) {
   code = CompileHandler(lookup, value, flag);
   DCHECK(code->is_handler());
 
-  if (code->type() != Code::NORMAL) {
+  // TODO(mvstanton): we'd only like to cache code on the map when it's custom
+  // code compiled for this map, otherwise it's already cached in the global
+  // code
+  // cache. We are also guarding against installing code with flags that don't
+  // match the desired CacheHolderFlag computed above, which would lead to
+  // invalid lookups later.
+  if (code->type() != Code::NORMAL &&
+      Code::ExtractCacheHolderFromFlags(code->flags()) == flag) {
     Map::UpdateCodeCache(stub_holder_map, lookup->name(), code);
   }
 

diff --git a/test/mjsunit/regress/regress-416416.js b/test/mjsunit/regress/regress-416416.js
new file mode 100644 (file)
index 0000000..66e882e
--- /dev/null
+++ b/test/mjsunit/regress/regress-416416.js
@@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function foo() {
+  try {
+    String.prototype.length.x();
+  } catch (e) {
+  }
+}
+
+foo();
+foo();
+foo();