AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
409f7bb399
v8/test/mjsunit/regress/regress-1166136-2.js
Jakob Gruber 0ef84f9930 [compiler] Use StateValuesAccess to access frame state parameters 
FrameState parameters must not be iterated directly since parameters
can be encoded into StateValues (i.e. parameter i is not necessarily
InputAt(i)). Instead, they should be accessed through the
StateValuesAccess helper class.

One example:

 82: StateValues[sparse:^^^^^^](81, 31, 32, 33, 34, 35)
  81: StateValues[sparse:^^^^^^^^](110, 24, 25, 26, 27, 28, 29, 30)
  31: NumberConstant[8]
  32: NumberConstant[9]
  33: NumberConstant[10]
  34: NumberConstant[11]
  35: NumberConstant[13]

Here, node 81 holds multiple parameters. These are properly iterated
by the StateValuesAccess class.

Bug: chromium:1166136
Change-Id: I12725f83994e1c05571bcba153ff45154b16d93f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625879
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72126}
2021-01-18 07:56:20 +00:00

29 lines
735 B
JavaScript
Raw Blame History

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --opt --turbo-inlining
function main() {
function vul(x0, x1, ...args) {
const res = Reflect.construct(Array,args,vul);
let local_1;
let local_2;
let local_3;
let local_4;
let local_5;
return res;
}
%PrepareFunctionForOptimization(vul);
return vul(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12);
}
%PrepareFunctionForOptimization(main);
main();
const unoptimized_result = main();
%OptimizeFunctionOnNextCall(main);
const optimized_result = main();
assertEquals(unoptimized_result, optimized_result);
Reference in New Issue View Git Blame Copy Permalink