Disable merging simulates across captured objects.

BUG=chromium:416730
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/607453002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24225 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen-removable-simulates.cc b/src/hydrogen-removable-simulates.cc
index a28021d..73d7a8e 100644 (file)
--- a/src/hydrogen-removable-simulates.cc
+++ b/src/hydrogen-removable-simulates.cc
@@ -53,6 +53,13 @@ class State : public ZoneObject {
       FlushSimulates();
       return this;
     }
+    if (instr->IsCapturedObject()) {
+      // Do not merge simulates across captured objects - captured objects
+      // change environments during environment replay, and such changes
+      // would not be reflected in the simulate.
+      FlushSimulates();
+      return this;
+    }
     // Skip the non-simulates and the first simulate.
     if (!instr->IsSimulate()) return this;
     if (first_) {

diff --git a/test/mjsunit/regress/regress-416730.js b/test/mjsunit/regress/regress-416730.js
new file mode 100644 (file)
index 0000000..8d7f207
--- /dev/null
+++ b/test/mjsunit/regress/regress-416730.js
@@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var d = {x: undefined, y: undefined};
+
+function Crash(left, right) {
+  var c = {
+    x: right.x - left.x,
+    y: right.y - left.y
+  };
+  return c.x * c.y;
+}
+
+var a = {x: 0.5, y: 0};
+var b = {x: 1, y: 0};
+
+for (var i = 0; i < 3; i++) Crash(a, b);
+%OptimizeFunctionOnNextCall(Crash);
+Crash(a, b);
+
+Crash({x: 0, y: 0.5}, b);