c6a16c10dd
With bytecode flushing and lazy feedback allocation, we need to call %PrepareForOptimization before we call %OptimizeFunctionOnNextCall, ideally after declaring the function. Bug: v8:8801, v8:8394, v8:9183 Change-Id: I3fb257282a30f6526a376a3afdedb44786320d34 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648255 Commit-Queue: Mathias Bynens <mathias@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#62119}
30 lines
855 B
JavaScript
30 lines
855 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --noenable-slow-asserts
|
|
|
|
// This call ensures that TurboFan won't inline array constructors.
|
|
Array(2 ** 30);
|
|
|
|
// Set up a fast holey smi array, and generate optimized code.
|
|
let a = [1, 2, , , , 3];
|
|
function mapping(a) {
|
|
return a.map(v => v);
|
|
};
|
|
%PrepareFunctionForOptimization(mapping);
|
|
mapping(a);
|
|
mapping(a);
|
|
%OptimizeFunctionOnNextCall(mapping);
|
|
mapping(a);
|
|
|
|
// Now lengthen the array, but ensure that it points to a non-dictionary
|
|
// backing store.
|
|
a.length = 32 * 1024 * 1024 - 1;
|
|
a.fill(1, 0);
|
|
a.push(2);
|
|
a.length += 500;
|
|
// Now, the non-inlined array constructor should produce an array with
|
|
// dictionary elements: causing a crash.
|
|
mapping(a);
|