17d86d76fb
This makes sure the deoptimizer properly materializes heap objects, even
when the top-most frame happens to be a stub-frame. Without this step
the {arguments_marker} would leak into user-land and most likely be
treated as an undefined value.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-769852
BUG=chromium:769852
Change-Id: I4ba17501c5d7e68d1f402b7c2cc5ccb0fb7bfb05
Reviewed-on: https://chromium-review.googlesource.com/691996
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48262}
15 lines
419 B
JavaScript
15 lines
419 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function f(o) {
|
|
function g() {}
|
|
Object.keys(o).forEach(suite => g());
|
|
}
|
|
assertDoesNotThrow(() => f({}));
|
|
assertDoesNotThrow(() => f({ x:0 }));
|
|
%OptimizeFunctionOnNextCall(f);
|
|
assertDoesNotThrow(() => f({ x:0 }));
|