Disallow updates to ic_with_type_info_count with negative values.

R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10883064

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12386 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/objects-inl.h b/src/objects-inl.h
index 756b40b..7083fba 100644 (file)
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -5241,10 +5241,17 @@ int TypeFeedbackInfo::ic_with_type_info_count() {
 
 void TypeFeedbackInfo::change_ic_with_type_info_count(int delta) {
   int value = Smi::cast(READ_FIELD(this, kStorage2Offset))->value();
-  int current_count = ICsWithTypeInfoCountField::decode(value);
-  value =
-      ICsWithTypeInfoCountField::update(value, current_count + delta);
-  WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value));
+  int new_count = ICsWithTypeInfoCountField::decode(value) + delta;
+  // We can get negative count here when the type-feedback info is
+  // shared between two code objects. The can only happen when
+  // the debugger made a shallow copy of code object (see Heap::CopyCode).
+  // Since we do not optimize when the debugger is active, we can skip
+  // this counter update.
+  if (new_count >= 0) {
+    new_count &= ICsWithTypeInfoCountField::kMask;
+    value = ICsWithTypeInfoCountField::update(value, new_count);
+    WRITE_FIELD(this, kStorage2Offset, Smi::FromInt(value));
+  }
 }