eb2a44439e
The condition clearing the "known HeapObject" bit was wrong -- it was checking whether the _map_ was a HeapObject (spoiler alert, it is), not whether it was the map _of_ a HeapObject, i.e. not a HeapNumberMap which returns true for Smis. Bug: v8:7700 Change-Id: I5af4c1a662bb16bacdfcf178819d912332ecefd6 Fixed: chromium:1383712 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4023077 Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#84243}
27 lines
732 B
JavaScript
27 lines
732 B
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --maglev --allow-natives-syntax
|
|
|
|
// Pseudo-side-effecting function.
|
|
function bar() {}
|
|
%NeverOptimizeFunction(bar);
|
|
|
|
function foo(i) {
|
|
// First load checks for HeapNumber map, allowing through Smis.
|
|
i['oh'];
|
|
// Cause side-effects to clear known maps of i.
|
|
bar(i);
|
|
// Second load should not crash for Smis.
|
|
i['no'];
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(foo);
|
|
// Give the two loads polymorphic feedback in HeapNumber and {some object}.
|
|
foo({});
|
|
foo(1);
|
|
%OptimizeMaglevOnNextCall(foo);
|
|
// Pass a Smi to loads with a HeapNumber map-check.
|
|
foo(2);
|