Ensure we never inline class constructors in Crankshaft, as it currently is entirely unsupported.

BUG=v8:3330 LOG=n Review URL: https://codereview.chromium.org/1415723005 Cr-Commit-Position: refs/heads/master@{#31480}
2015-10-22 07:38:34 -07:00 · 2015-10-22 07:38:34 -07:00 · f464f12a8b
commit f464f12a8b
parent 0a7996882e
2 changed files with 29 additions and 0 deletions
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@ -9827,6 +9827,7 @@ void HOptimizedGraphBuilder::BuildInlinedCallArray(
 // Checks whether allocation using the given constructor can be inlined.
 static bool IsAllocationInlineable(Handle<JSFunction> constructor) {
  return constructor->has_initial_map() &&
+         !IsClassConstructor(constructor->shared()->kind()) &&
         constructor->initial_map()->instance_type() == JS_OBJECT_TYPE &&
         constructor->initial_map()->instance_size() <
             HAllocate::kMaxInlineSize;
--- a/test/mjsunit/regress/regress-inline-class-constructor.js
+++ b/test/mjsunit/regress/regress-inline-class-constructor.js
@ -0,0 +1,28 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+"use strict";
+
+var B = class extends Int32Array { }
+
+function f(b) {
+  if (b) {
+    null instanceof B;
+  }
+}
+
+f();
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();
+
+function f2() {
+  return new B();
+}
+
+%OptimizeFunctionOnNextCall(f2);
+f2();