e6b6e55453
In the earlier implementation of GenerateDoubleToObject the context is loaded from the parent's frame. rsi is clobbered because it is used to store kHoleNan constnat. It is not always safe to peek at the parents frame. Bytecode handlers have TypedFrame and the type of frame is stored at FP + 1. GenerateDoubleToObject expects context to be store at that place. In the current implementation rsi is pushed onto the stack and is popped when exiting this function. BUG=v8:4280,chromium:597565 LOG=N Review URL: https://codereview.chromium.org/1848473002 Cr-Commit-Position: refs/heads/master@{#35163}
19 lines
494 B
JavaScript
19 lines
494 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --no-inline-new
|
|
|
|
function __f_2(b, value) {
|
|
b[1] = value;
|
|
}
|
|
function __f_9() {
|
|
var arr = [1.5, 0, 0];
|
|
// Call with a double, so the expected element type is double.
|
|
__f_2(1.5);
|
|
// Call with an object, which triggers transition from FAST_double
|
|
// to Object for the elements type.
|
|
__f_2(arr);
|
|
}
|
|
__f_9();
|