projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5a803ca)
Fix for v8:3255 Grow KeyedStoreIC doesn't respect String value wrappers
authormvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Mon, 7 Apr 2014 07:52:24 +0000 (07:52 +0000)
committermvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Mon, 7 Apr 2014 07:52:24 +0000 (07:52 +0000)
BUG=v8:3255
LOG=N
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/226053002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/ic.cc patch | blob | history
test/mjsunit/regress/regress-3255.js [new file with mode: 0644] patch | blob

diff --git a/src/ic.cc b/src/ic.cc
index 8e2d589..0861a80 100644 (file)
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1690,6 +1690,7 @@ MaybeObject* KeyedStoreIC::Store(Handle<Object> object,
     if (maybe_object->IsFailure()) return maybe_object;
   } else {
     bool use_ic = FLAG_use_ic &&
+        !object->IsStringWrapper() &&
         !object->IsAccessCheckNeeded() &&
         !object->IsJSGlobalProxy() &&
         !(object->IsJSObject() &&
diff --git a/test/mjsunit/regress/regress-3255.js b/test/mjsunit/regress/regress-3255.js
new file mode 100644 (file)
index 0000000..0e77435
--- /dev/null
+++ b/test/mjsunit/regress/regress-3255.js
@@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+var arr = [];
+var str = new String('x');
+
+function f(a,b) {
+  a[b] = 1;
+}
+
+f(arr, 0);
+f(str, 0);
+f(str, 0);
+
+// This is just to trigger elements validation, object already broken.
+%SetProperty(str, 1, 'y', 0);
Domain: Web Framework / Web Engine;