c906efd5d1
When a prototype object migrates from a slow to a fast map, where the slow map was registered as a user of its own prototype, then the registration must be transferred to the new map (just like MigrateToMap does for all other cases). BUG=chromium:513602 LOG=y NOTREECHECKS=true Review URL: https://codereview.chromium.org/1263543004 Cr-Commit-Position: refs/heads/master@{#29898}
27 lines
708 B
JavaScript
27 lines
708 B
JavaScript
// Copyright 2015 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
function Parent() {}
|
|
|
|
function Child() {}
|
|
Child.prototype = new Parent();
|
|
var child = new Child();
|
|
|
|
function crash() {
|
|
return child.__proto__;
|
|
}
|
|
|
|
crash();
|
|
crash();
|
|
|
|
// Trigger a fast->slow->fast dance of Parent.prototype's map...
|
|
Parent.prototype.__defineSetter__("foo", function() { print("A"); });
|
|
Parent.prototype.__defineSetter__("foo", function() { print("B"); });
|
|
// ...and collect more type feedback.
|
|
crash();
|
|
|
|
// Now modify the prototype chain. The right cell fails to get invalidated.
|
|
delete Object.prototype.__proto__;
|
|
crash();
|