v8/test/mjsunit/regress/regress-997989.js

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

28 lines
716 B
JavaScript
Raw Normal View History

Reland^2 "[ic] In-place Double -> Tagged transitions"" This is a reland of 981aafaf977d4671763c341102a4ee5ef172f7f6 It adds double checks to LoadFieldByIndex in the optimizing compiler, which are likely the source of the crashes. Original change's description: > Reland "[ic] In-place Double -> Tagged transitions" > > This is a reland of 0736599a69d4d7c145bff2d99fed8a7ea599f687. > This is a reland of 7e1fbe8f341161ca57f95f01b263643d139eb14a. > > Original change description: > > [ic] In-place Double -> Tagged transitions > > > > With no more MutableHeapNumber, we can make Double -> Tagged transitions > > in-place, at the cost of an extra map check when accessing double fields > > to make sure they are still doubles. > > > > Bug: v8:9606 > > Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973 > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#63374} > > TBR=verwaest@chromium.org, tebbi@chromium.org > > Bug: v8:9606 > Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#63499} TBR=verwaest@chromium.org Bug: v8:9606 Bug: chromium:997989 Change-Id: Iccfff8e5c6306c9ee4f6c62767dce883b1c6f743 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784288 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#63582}
2019-09-05 14:36:00 +00:00
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
// A function with a for-in loop, that will be optimized.
function foo(o) {
for (var i in o) {
return o[i];
}
}
var o = { x: 0.5 };
// Warm up foo with Double values in the enum cache.
%PrepareFunctionForOptimization(foo);
assertEquals(foo(o), 0.5);
assertEquals(foo(o), 0.5);
%OptimizeFunctionOnNextCall(foo);
assertEquals(foo(o), 0.5);
// Transition the double field to a tagged field
o.x = "abc";
// Make sure that the optimized code correctly loads the tagged field.
assertEquals(foo(o), "abc");