b4583c0444
For a prototype chain foo -> global_proxy -> global_object, we used to register a dependency from foo -> global_object. This is incorrect when the global_proxy/global_object pairing is modified, e.g. when navigating in iframes. With this patch, we properly register foo -> global_proxy and global_proxy -> global_object dependencies. Additionally, when a prototype's prototype changes from null to something else, this new usage relation must be registered if there are other users further down on the prototype chain that might expect a complete chain of registrations to exist (which was the case before, and must be preserved). BUG=chromium:571517 LOG=n R=verwaest@chromium.org Review URL: https://codereview.chromium.org/1559323002 Cr-Commit-Position: refs/heads/master@{#33119}
37 lines
961 B
JavaScript
37 lines
961 B
JavaScript
// Copyright 2015 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
function Receiver() { this.receiver = "receiver"; }
|
|
function Proto() { this.proto = "proto"; }
|
|
|
|
function f(a) {
|
|
return a.foo;
|
|
}
|
|
|
|
var rec = new Receiver();
|
|
|
|
var proto = rec.__proto__.__proto__;
|
|
|
|
// Initialize prototype chain dependent IC (nonexistent load).
|
|
assertEquals(undefined, f(rec));
|
|
assertEquals(undefined, f(rec));
|
|
|
|
// Add a new prototype to the end of the chain.
|
|
var p2 = new Proto();
|
|
p2.__proto__ = null;
|
|
proto.__proto__ = p2;
|
|
|
|
// Update the IC.
|
|
assertEquals(undefined, f(rec));
|
|
|
|
// Now modify the most recently added prototype by adding a property...
|
|
p2.foo = "bar";
|
|
assertEquals("bar", f(rec));
|
|
|
|
// ...and removing it again. Due to missing prototype user registrations,
|
|
// this fails to invalidate the IC.
|
|
delete p2.foo;
|
|
p2.secret = "GAME OVER";
|
|
assertEquals(undefined, f(rec));
|