From dbb16eaec3816056ac966bb83e5e782a752646dc Mon Sep 17 00:00:00 2001 From: "verwaest@chromium.org" Date: Mon, 10 Jun 2013 11:27:09 +0000 Subject: [PATCH] Lookup transition again after migrating a transition target. R=ulan@chromium.org BUG=chromium:242332 Review URL: https://chromiumcodereview.appspot.com/16347005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15031 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/ic.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ic.cc b/src/ic.cc index ef8ab8a..db1cb95 100644 --- a/src/ic.cc +++ b/src/ic.cc @@ -1541,6 +1541,10 @@ static bool LookupForWrite(Handle receiver, Handle target(lookup->GetTransitionMapFromMap(receiver->map())); Map::GeneralizeRepresentation( target, target->LastAdded(), value->OptimalRepresentation()); + // Lookup the transition again since the transition tree may have changed + // entirely by the migration above. + receiver->map()->LookupTransition(*holder, *name, lookup); + if (!lookup->IsTransition()) return false; *state = MONOMORPHIC_PROTOTYPE_FAILURE; } return true; -- 2.7.4