27900f17b8
In a few places we incorrectly assumed to know the instance type of the heap object. In particular, in JSCallReducer::ReduceDataViewAccess, doing map inference on the receiver and determining that all maps are JSDataView maps does not guarantee that the receiver is a JSDataView constant because we might deopt before getting to the data view operation. Bug: chromium:1146652 Change-Id: I1611308c3ebe0d33fa6b0cf0938d777b4e6449ff Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2524440 Auto-Submit: Georg Neis <neis@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#71034}
27 lines
588 B
JavaScript
27 lines
588 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function IsDataView(obj) {
|
|
return obj.getFloat64;
|
|
}
|
|
%NeverOptimizeFunction(IsDataView);
|
|
|
|
function bar(obj) {
|
|
if (IsDataView(obj)) obj.getFloat64(0);
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(bar);
|
|
bar(new DataView(new ArrayBuffer(42)));
|
|
|
|
const proxy = new Proxy({}, {});
|
|
function foo() { bar(proxy) }
|
|
|
|
%PrepareFunctionForOptimization(foo);
|
|
foo();
|
|
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
foo();
|