From 376eb8020d05894b555fc1de7e31015358eeb4c8 Mon Sep 17 00:00:00 2001 From: Georg Neis Date: Tue, 8 Jun 2021 15:30:57 +0200 Subject: [PATCH] [compiler] Add missing prototype serialization of bound function map This is needed for JSCallReducer. Bug: chromium:1217562 Change-Id: I1f06040a74c393598c134301ba0cf04a46380107 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2945184 Reviewed-by: Jakob Gruber Commit-Queue: Georg Neis Cr-Commit-Position: refs/heads/master@{#75019} --- .../serializer-for-background-compilation.cc | 9 +++++++++ test/mjsunit/compiler/regress-1217562.js | 19 +++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 test/mjsunit/compiler/regress-1217562.js diff --git a/src/compiler/serializer-for-background-compilation.cc b/src/compiler/serializer-for-background-compilation.cc index 56783dbb54..379a3cbcb3 100644 --- a/src/compiler/serializer-for-background-compilation.cc +++ b/src/compiler/serializer-for-background-compilation.cc @@ -2557,6 +2557,15 @@ void SerializerForBackgroundCompilation::ProcessBuiltinCall( result_hints->AddVirtualBoundFunction( VirtualBoundFunction(bound_target, new_arguments), zone(), broker()); + + broker() + ->target_native_context() + .bound_function_with_constructor_map() + .SerializePrototype(); + broker() + ->target_native_context() + .bound_function_without_constructor_map() + .SerializePrototype(); } break; case Builtin::kObjectGetPrototypeOf: diff --git a/test/mjsunit/compiler/regress-1217562.js b/test/mjsunit/compiler/regress-1217562.js new file mode 100644 index 0000000000..67924cc70e --- /dev/null +++ b/test/mjsunit/compiler/regress-1217562.js @@ -0,0 +1,19 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo() { + foo.bind(); + foo.__proto__ = class {}; +} + +%PrepareFunctionForOptimization(foo); +foo(); +foo(); +foo(); +foo(); +foo(); +%OptimizeFunctionOnNextCall(foo); +foo();