From e7cacef1983bd4cec7ab49f569cba984eac520f8 Mon Sep 17 00:00:00 2001 From: Jaroslav Sevcik Date: Fri, 18 Nov 2016 12:57:38 +0100 Subject: [PATCH] Merged: [turbofan] Fix deopt check for storing into constant field. Revision: 1900760e8fb2bb8682d44ab3a58f8196230598da BUG=chromium:626986 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/2517543002 . Cr-Commit-Position: refs/branch-heads/5.5@{#48} Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1} Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015} --- .../js-native-context-specialization.cc | 7 +++--- test/mjsunit/compiler/regress-626986.js | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 test/mjsunit/compiler/regress-626986.js diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc index 1881cd02bc53..35b3c82756be 100644 --- a/src/compiler/js-native-context-specialization.cc +++ b/src/compiler/js-native-context-specialization.cc @@ -818,13 +818,14 @@ JSNativeContextSpecialization::BuildPropertyAccess( DCHECK_EQ(AccessMode::kLoad, access_mode); value = jsgraph()->UndefinedConstant(); } else if (access_info.IsDataConstant()) { - value = jsgraph()->Constant(access_info.constant()); + Node* constant_value = jsgraph()->Constant(access_info.constant()); if (access_mode == AccessMode::kStore) { - Node* check = - graph()->NewNode(simplified()->ReferenceEqual(), value, value); + Node* check = graph()->NewNode(simplified()->ReferenceEqual(), value, + constant_value); effect = graph()->NewNode(simplified()->CheckIf(), check, effect, control); } + value = constant_value; } else if (access_info.IsAccessorConstant()) { // TODO(bmeurer): Properly rewire the IfException edge here if there's any. Node* target = jsgraph()->Constant(access_info.constant()); diff --git a/test/mjsunit/compiler/regress-626986.js b/test/mjsunit/compiler/regress-626986.js new file mode 100644 index 000000000000..5e02918423dc --- /dev/null +++ b/test/mjsunit/compiler/regress-626986.js @@ -0,0 +1,23 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function g() { + return 42; +} + +var o = {}; + +function f(o, x) { + o.f = x; +} + +f(o, g); +f(o, g); +f(o, g); +assertEquals(42, o.f()); +%OptimizeFunctionOnNextCall(f); +f(o, function() { return 0; }); +assertEquals(0, o.f());