From 0142786cea0853797506d3268c15e98360101b47 Mon Sep 17 00:00:00 2001 From: "bmeurer@chromium.org" Date: Thu, 21 Aug 2014 06:23:44 +0000 Subject: [PATCH] Don't inline Array.shift() if receiver map is not extensible. TEST=mjsunit/regress/regress-crbug-405517 BUG=405517 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/491863002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23255 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen.cc | 2 +- test/mjsunit/regress/regress-crbug-405517.js | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-crbug-405517.js diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 59d3bb9..f4e905d 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -8343,7 +8343,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( ElementsKind kind = receiver_map->elements_kind(); if (!IsFastElementsKind(kind)) return false; if (receiver_map->is_observed()) return false; - DCHECK(receiver_map->is_extensible()); + if (!receiver_map->is_extensible()) return false; // If there may be elements accessors in the prototype chain, the fast // inlined version can't be used. diff --git a/test/mjsunit/regress/regress-crbug-405517.js b/test/mjsunit/regress/regress-crbug-405517.js new file mode 100644 index 0000000..36c3f4f --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-405517.js @@ -0,0 +1,16 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --gc-interval=203 + +function f() { + var e = [0]; + %PreventExtensions(e); + for (var i = 0; i < 4; i++) e.shift(); +} + +f(); +f(); +%OptimizeFunctionOnNextCall(f); +f(); -- 2.7.4