// Copyright 2016 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // Flags: --allow-natives-syntax --expose-gc function P() { this.a0 = {}; this.a1 = {}; this.a2 = {}; this.a3 = {}; this.a4 = {}; } function A() { } var proto = new P(); A.prototype = proto; function foo(o) { return o.a0; } // Ensure |proto| is in old space. gc(); gc(); gc(); // Ensure |proto| is marked as "should be fast". var o = new A(); %EnsureFeedbackVectorForFunction(foo); foo(o); foo(o); foo(o); assertTrue(%HasFastProperties(proto)); // Contruct a double value that looks like a tagged pointer. var buffer = new ArrayBuffer(8); var int32view = new Int32Array(buffer); var float64view = new Float64Array(buffer); int32view[0] = int32view[1] = 0x40000001; var boom = float64view[0]; // Write new space object. proto.a4 = {a: 0}; // Immediately delete the field. delete proto.a4; // |proto| must sill be fast. assertTrue(%HasFastProperties(proto)); // Add a double field instead of deleted a4 that looks like a tagged pointer. proto.boom = boom; // Boom! gc();