From 22231d4703df60d89e36da0a3c7f84f15271119b Mon Sep 17 00:00:00 2001 From: "kasperl@chromium.org" Date: Thu, 2 Jul 2009 10:51:46 +0000 Subject: [PATCH] Fix crash when calling non-function globals. Review URL: http://codereview.chromium.org/151199 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2334 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/ic.cc | 19 +++++++++---------- test/mjsunit/call-non-function.js | 11 ++++++++++- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/src/ic.cc b/src/ic.cc index 43dc1df..dfdf722 100644 --- a/src/ic.cc +++ b/src/ic.cc @@ -460,11 +460,10 @@ void CallIC::UpdateCaches(LookupResult* lookup, if (lookup->holder() != *global) return; JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(global->GetPropertyCell(lookup)); - if (cell->value()->IsJSFunction()) { - JSFunction* function = JSFunction::cast(cell->value()); - code = StubCache::ComputeCallGlobal(argc, in_loop, *name, *global, - cell, function); - } + if (!cell->value()->IsJSFunction()) return; + JSFunction* function = JSFunction::cast(cell->value()); + code = StubCache::ComputeCallGlobal(argc, in_loop, *name, *global, + cell, function); } else { // There is only one shared stub for calling normalized // properties. It does not traverse the prototype chain, so the @@ -489,7 +488,7 @@ void CallIC::UpdateCaches(LookupResult* lookup, // If we're unable to compute the stub (not enough memory left), we // simply avoid updating the caches. - if (code->IsFailure()) return; + if (code == NULL || code->IsFailure()) return; // Patch the call site depending on the state of the cache. if (state == UNINITIALIZED || @@ -700,7 +699,7 @@ void LoadIC::UpdateCaches(LookupResult* lookup, // If we're unable to compute the stub (not enough memory left), we // simply avoid updating the caches. - if (code->IsFailure()) return; + if (code == NULL || code->IsFailure()) return; // Patch the call site depending on the state of the cache. if (state == UNINITIALIZED || state == PREMONOMORPHIC || @@ -890,7 +889,7 @@ void KeyedLoadIC::UpdateCaches(LookupResult* lookup, State state, // If we're unable to compute the stub (not enough memory left), we // simply avoid updating the caches. - if (code->IsFailure()) return; + if (code == NULL || code->IsFailure()) return; // Patch the call site depending on the state of the cache. Make // sure to always rewrite from monomorphic to megamorphic. @@ -1042,7 +1041,7 @@ void StoreIC::UpdateCaches(LookupResult* lookup, // If we're unable to compute the stub (not enough memory left), we // simply avoid updating the caches. - if (code->IsFailure()) return; + if (code == NULL || code->IsFailure()) return; // Patch the call site depending on the state of the cache. if (state == UNINITIALIZED || state == MONOMORPHIC_PROTOTYPE_FAILURE) { @@ -1164,7 +1163,7 @@ void KeyedStoreIC::UpdateCaches(LookupResult* lookup, // If we're unable to compute the stub (not enough memory left), we // simply avoid updating the caches. - if (code->IsFailure()) return; + if (code == NULL || code->IsFailure()) return; // Patch the call site depending on the state of the cache. Make // sure to always rewrite from monomorphic to megamorphic. diff --git a/test/mjsunit/call-non-function.js b/test/mjsunit/call-non-function.js index 8ed5ccb..9fe3b0f 100644 --- a/test/mjsunit/call-non-function.js +++ b/test/mjsunit/call-non-function.js @@ -51,4 +51,13 @@ TryCall(1234); TryCall("hest"); - +// Make sure that calling a non-function global doesn't crash the +// system while building the IC for it. +var NonFunction = 42; +function WillThrow() { + NonFunction(); +} +assertThrows(WillThrow); +assertThrows(WillThrow); +assertThrows(WillThrow); +assertThrows(WillThrow); -- 2.7.4