aecd84376c
This reduction relies on a known object layout of the regexp instance in order to access the lastIndex field through a statically-determined offset. Prior to this CL, we checked only for instance types, not for the map, and thus it was possible to read garbage from either inside or outside the current object. Bug: chromium:1024758,v8:7779 Change-Id: I1eec8220797f443bdf3d05804e54f33b21fa2f00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924353 Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#65039}
38 lines
725 B
JavaScript
38 lines
725 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function f() {
|
|
return r.test("abc");
|
|
}
|
|
|
|
function to_dict(o) {
|
|
r.a = 42;
|
|
r.b = 42;
|
|
delete r.a;
|
|
}
|
|
|
|
function to_fast(o) {
|
|
const obj = {};
|
|
const obj2 = {};
|
|
delete o.a;
|
|
obj.__proto__ = o;
|
|
obj[0] = 1;
|
|
obj.__proto__ = obj2;
|
|
delete obj[0];
|
|
return o;
|
|
}
|
|
|
|
// Shrink the instance size by first transitioning to dictionary properties,
|
|
// then back to fast properties.
|
|
const r = /./;
|
|
to_dict(r);
|
|
to_fast(r);
|
|
|
|
%PrepareFunctionForOptimization(f);
|
|
assertTrue(f());
|
|
%OptimizeFunctionOnNextCall(f);
|
|
assertTrue(f());
|