fd074f9a80
We don't want to handle even non-growing stores when there are TypedArrays in the prototype chain. Typed arrays handle the out-of-bounds accesses by ignoring the stores unlike the regular array writes. We just let runtime handle these cases instead of making ICs more complex. There was an earlier cl (https://chromium-review.googlesource.com/c/v8/v8/+/1609790) that fixed it for growing stores. This cl extends it for non-growing stores as well to handle more cases. Bug: chromium:961709 Change-Id: I65e079b88c10d2ba343f69a67134893319cd8f8a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662305 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#62243}
30 lines
600 B
JavaScript
30 lines
600 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function foo(a, i) {
|
|
a[i] = 1;
|
|
return a[i];
|
|
}
|
|
|
|
class MyArray extends (class C extends Array {
|
|
}){};
|
|
|
|
o = new MyArray;
|
|
|
|
%EnsureFeedbackVectorForFunction(foo);
|
|
// initialize IC
|
|
assertEquals(1, foo(o, 0));
|
|
assertEquals(1, foo(o, 1));
|
|
|
|
// Change prototype
|
|
o.__proto__.__proto__ = new Int32Array(2);
|
|
|
|
|
|
// Check it still works
|
|
assertEquals(undefined, foo(o, 2));
|
|
assertEquals(undefined, foo(o, 2));
|