bed8853908
The escape analysis is able to perform scalar replacement on JSArrays with in-object properties (which currently only happens for subclasses of the Array constructor), but the Deoptimizer didn't properly materialized and initialized the values of the in-object fields so far. Bug: chromium:772689, v8:6399 Change-Id: I6555a46773d2a1543db069142aa05f4337566b9c Reviewed-on: https://chromium-review.googlesource.com/706781 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48365}
24 lines
524 B
JavaScript
24 lines
524 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
const A = class A extends Array {
|
|
constructor() {
|
|
super();
|
|
this.y = 1;
|
|
}
|
|
}
|
|
|
|
function foo(x) {
|
|
var a = new A();
|
|
if (x) return a.y;
|
|
}
|
|
|
|
assertEquals(undefined, foo(false));
|
|
assertEquals(undefined, foo(false));
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
assertEquals(undefined, foo(false));
|
|
assertEquals(1, foo(true));
|