[maglev] Add stable map dependency when loading map from closure

victorgomes · V8 LUCI CQ · commit 259a5f8fed67 · 2024-09-30T11:19:28.000Z
Fixed: 369630648 Change-Id: Ib298eca15e2a9ca8bb12db685a60c5f94a9dc1cc Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5891221 Reviewed-by: Olivier Flückiger <olivf@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Olivier Flückiger <olivf@chromium.org> Cr-Commit-Position: refs/heads/main@{#96334}
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -7012,15 +7012,21 @@ void MaglevGraphBuilder::VisitDeletePropertySloppy() {
 
 void MaglevGraphBuilder::VisitGetSuperConstructor() {
   ValueNode* active_function = GetAccumulator();
-  ValueNode* map_proto;
+  // TODO(victorgomes): Maybe BuildLoadTaggedField should support constants
+  // instead.
   if (compiler::OptionalHeapObjectRef constant =
           TryGetConstant(active_function)) {
-    map_proto = GetConstant(constant->map(broker()).prototype(broker()));
-  } else {
-    ValueNode* map =
-        BuildLoadTaggedField(active_function, HeapObject::kMapOffset);
-    map_proto = BuildLoadTaggedField(map, Map::kPrototypeOffset);
+    compiler::MapRef map = constant->map(broker());
+    if (map.is_stable()) {
+      broker()->dependencies()->DependOnStableMap(map);
+      ValueNode* map_proto = GetConstant(map.prototype(broker()));
+      StoreRegister(iterator_.GetRegisterOperand(0), map_proto);
+      return;
+    }
   }
+  ValueNode* map =
+      BuildLoadTaggedField(active_function, HeapObject::kMapOffset);
+  ValueNode* map_proto = BuildLoadTaggedField(map, Map::kPrototypeOffset);
   StoreRegister(iterator_.GetRegisterOperand(0), map_proto);
 }
 
diff --git a/test/mjsunit/maglev/regress-369630648.js b/test/mjsunit/maglev/regress-369630648.js
@@ -0,0 +1,18 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
+
+class C extends Array {
+  constructor() {
+      (() => (() => super())())();
+  }
+}
+%PrepareFunctionForOptimization(C);
+new C();
+new C();
+%OptimizeFunctionOnNextCall(C);
+new C();
+C.__proto__ = [1];
+assertThrows(() => { new C() }, TypeError);
