82b3ac945c
We don't use ICs for the Array.prototype and the Object.prototype because the runtime has to be able to intercept them properly (for the global protectors). So we better make sure that TurboFan doesn't outsmart the system by storing to elements of either prototype directly. Bug: chromium:781116 Change-Id: I0f521601ef02c1b21018abd1bf1028fd8a811e84 Reviewed-on: https://chromium-review.googlesource.com/753089 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#49101}
24 lines
505 B
JavaScript
24 lines
505 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function baz(obj, store) {
|
|
if (store === true) obj[0] = 1;
|
|
}
|
|
function bar(store) {
|
|
baz(Object.prototype, store);
|
|
baz(this.arguments, true);
|
|
}
|
|
bar(false);
|
|
bar(false);
|
|
%OptimizeFunctionOnNextCall(bar);
|
|
bar(true);
|
|
|
|
function foo() { [].push(); }
|
|
foo();
|
|
foo();
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
foo();
|