summaryrefslogtreecommitdiff
path: root/deps/v8/src/arm/stub-cache-arm.cc
diff options
context:
space:
mode:
Diffstat (limited to 'deps/v8/src/arm/stub-cache-arm.cc')
-rw-r--r--deps/v8/src/arm/stub-cache-arm.cc45
1 files changed, 29 insertions, 16 deletions
diff --git a/deps/v8/src/arm/stub-cache-arm.cc b/deps/v8/src/arm/stub-cache-arm.cc
index 3350c56c1..f2d45e190 100644
--- a/deps/v8/src/arm/stub-cache-arm.cc
+++ b/deps/v8/src/arm/stub-cache-arm.cc
@@ -423,7 +423,7 @@ void StubCompiler::GenerateLoadFunctionPrototype(MacroAssembler* masm,
// registers have their original values.
void StubCompiler::GenerateStoreField(MacroAssembler* masm,
Handle<JSObject> object,
- int index,
+ LookupResult* lookup,
Handle<Map> transition,
Handle<Name> name,
Register receiver_reg,
@@ -436,16 +436,6 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
// r0 : value
Label exit;
- LookupResult lookup(masm->isolate());
- object->Lookup(*name, &lookup);
- if (lookup.IsFound() && (lookup.IsReadOnly() || !lookup.IsCacheable())) {
- // In sloppy mode, we could just return the value and be done. However, we
- // might be in strict mode, where we have to throw. Since we cannot tell,
- // go into slow case unconditionally.
- __ jmp(miss_label);
- return;
- }
-
// Check that the map of the object hasn't changed.
CompareMapMode mode = transition.is_null() ? ALLOW_ELEMENT_TRANSITION_MAPS
: REQUIRE_EXACT_MAP;
@@ -460,8 +450,9 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
// Check that we are allowed to write this.
if (!transition.is_null() && object->GetPrototype()->IsJSObject()) {
JSObject* holder;
- if (lookup.IsFound()) {
- holder = lookup.holder();
+ // holder == object indicates that no property was found.
+ if (lookup->holder() != *object) {
+ holder = lookup->holder();
} else {
// Find the top object.
holder = *object;
@@ -469,8 +460,19 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
holder = JSObject::cast(holder->GetPrototype());
} while (holder->GetPrototype()->IsJSObject());
}
- CheckPrototypes(object, receiver_reg, Handle<JSObject>(holder), name_reg,
- scratch1, scratch2, name, miss_restore_name);
+ Register holder_reg = CheckPrototypes(
+ object, receiver_reg, Handle<JSObject>(holder), name_reg,
+ scratch1, scratch2, name, miss_restore_name);
+ // If no property was found, and the holder (the last object in the
+ // prototype chain) is in slow mode, we need to do a negative lookup on the
+ // holder.
+ if (lookup->holder() == *object &&
+ !holder->HasFastProperties() &&
+ !holder->IsJSGlobalProxy() &&
+ !holder->IsJSGlobalObject()) {
+ GenerateDictionaryNegativeLookup(
+ masm, miss_restore_name, holder_reg, name, scratch1, scratch2);
+ }
}
// Stub never generated for non-global objects that require access
@@ -492,6 +494,7 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
return;
}
+ int index;
if (!transition.is_null()) {
// Update the map of the object.
__ mov(scratch1, Operand(transition));
@@ -507,6 +510,10 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
kDontSaveFPRegs,
OMIT_REMEMBERED_SET,
OMIT_SMI_CHECK);
+ index = transition->instance_descriptors()->GetFieldIndex(
+ transition->LastAdded());
+ } else {
+ index = lookup->GetFieldIndex().field_index();
}
// Adjust for the number of properties stored in the object. Even in the
@@ -2391,6 +2398,12 @@ void CallStubCompiler::CompileHandlerFrontend(Handle<Object> object,
// Check that the object is a symbol.
__ CompareObjectType(r1, r1, r3, SYMBOL_TYPE);
__ b(ne, &miss);
+ // Check that the maps starting from the prototype haven't changed.
+ GenerateDirectLoadGlobalFunctionPrototype(
+ masm(), Context::SYMBOL_FUNCTION_INDEX, r0, &miss);
+ CheckPrototypes(
+ Handle<JSObject>(JSObject::cast(object->GetPrototype(isolate()))),
+ r0, holder, r3, r1, r4, name, &miss);
break;
case NUMBER_CHECK: {
@@ -2982,7 +2995,7 @@ Handle<Code> ConstructStubCompiler::CompileConstructStub(
__ cmp(r3, Operand(instance_size >> kPointerSizeLog2));
__ Check(eq, "Instance size of initial map changed.");
#endif
- __ AllocateInNewSpace(r3, r4, r5, r6, &generic_stub_call, SIZE_IN_WORDS);
+ __ Allocate(r3, r4, r5, r6, &generic_stub_call, SIZE_IN_WORDS);
// Allocated the JSObject, now initialize the fields. Map is set to initial
// map and properties and elements are set to empty fixed array.
View Lorry Controller Status