fb0a60e156
JSCreate can have side effects (by looking up the prototype on an object), so once we walk past that the analysis result must be marked as "unreliable". Bug: chromium:1053604 Change-Id: I36625b14f374e74561c9b539bdf7a02ae767cf7f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2062396 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#66329}
31 lines
612 B
JavaScript
31 lines
612 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
let a = [0, 1, 2, 3, 4];
|
|
|
|
function empty() {}
|
|
|
|
function f(p) {
|
|
a.pop(Reflect.construct(empty, arguments, p));
|
|
}
|
|
|
|
let p = new Proxy(Object, {
|
|
get: () => (a[0] = 1.1, Object.prototype)
|
|
});
|
|
|
|
function main(p) {
|
|
f(p);
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(empty);
|
|
%PrepareFunctionForOptimization(f);
|
|
%PrepareFunctionForOptimization(main);
|
|
|
|
main(empty);
|
|
main(empty);
|
|
%OptimizeFunctionOnNextCall(main);
|
|
main(p);
|