[turbofan] Ensure that all prototypes are stable for push/pop.

bmeurer · Commit bot · commit 4ed27fc836ac · 2016-09-08T08:48:32.000Z
When lowering Array.prototype.push/.pop to the fast inlined version, we first need to ensure that all prototypes (including the Object.prototype) are stable. R=mvstanton@chromium.org BUG=chromium:644689 Review-Url: https://codereview.chromium.org/2319533005 Cr-Commit-Position: refs/heads/master@{#39266}
diff --git a/src/compiler/js-builtin-reducer.cc b/src/compiler/js-builtin-reducer.cc
@@ -145,11 +145,16 @@ bool CanInlineArrayResizeOperation(Handle<Map> receiver_map) {
   if (!receiver_map->prototype()->IsJSArray()) return false;
   Handle<JSArray> receiver_prototype(JSArray::cast(receiver_map->prototype()),
                                      isolate);
+  // Ensure that all prototypes of the {receiver} are stable.
+  for (PrototypeIterator it(isolate, receiver_prototype, kStartAtReceiver);
+       !it.IsAtEnd(); it.Advance()) {
+    Handle<JSReceiver> current = PrototypeIterator::GetCurrent<JSReceiver>(it);
+    if (!current->map()->is_stable()) return false;
+  }
   return receiver_map->instance_type() == JS_ARRAY_TYPE &&
          IsFastElementsKind(receiver_map->elements_kind()) &&
          !receiver_map->is_dictionary_map() && receiver_map->is_extensible() &&
          (!receiver_map->is_prototype_map() || receiver_map->is_stable()) &&
-         receiver_prototype->map()->is_stable() &&
          isolate->IsFastArrayConstructorPrototypeChainIntact() &&
          isolate->IsAnyInitialArrayPrototype(receiver_prototype) &&
          !IsReadOnlyLengthDescriptor(receiver_map);
diff --git a/test/mjsunit/regress/regress-crbug-644689-1.js b/test/mjsunit/regress/regress-crbug-644689-1.js
@@ -0,0 +1,14 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (var i = 0; i < 1024; ++i) Object.prototype["i" + i] = i;
+
+function foo() { [].push(1); }
+
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
diff --git a/test/mjsunit/regress/regress-crbug-644689-2.js b/test/mjsunit/regress/regress-crbug-644689-2.js
@@ -0,0 +1,14 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (var i = 0; i < 1024; ++i) Object.prototype["i" + i] = i;
+
+function foo() { [1].pop(); }
+
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
