930f26549f
The CanAllocateArray used to be executed during JSCreateLowering, leading to bailouts when large arrays are passed as arguments to an async function or a bound function. This meant that JSCreateAsyncFunctionObject or JSCreateBoundFunction will reach JSGenericLowering, where they are not lowered. This CL moves the checks earlier in the pipeline during JSNativeContextSpecialization and JSCallReducer respectively, so that those operators are not created at all in such cases and we bail out to the runtime instead. Bug: v8:11564 Change-Id: I232ce7d9378730ae0cc8690e52fde840a484e069 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807609 Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#73928}
33 lines
1002 B
JavaScript
33 lines
1002 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --max-optimized-bytecode-size=300000
|
|
|
|
const args = new Array(35000).fill('arg');
|
|
|
|
// Regression test for ReduceJSCreateAsyncFunctionObject.
|
|
function outer_async() {
|
|
async function g(replace_me) {}
|
|
%PrepareFunctionForOptimization(g);
|
|
%OptimizeFunctionOnNextCall(g);
|
|
new Promise(g);
|
|
}
|
|
|
|
const outer_async_many_args = outer_async.toLocaleString().replace('replace_me', args);
|
|
eval(outer_async_many_args);
|
|
outer_async();
|
|
|
|
// Regression test for ReduceJSCreateBoundFunction.
|
|
function outer_bind(arg) {
|
|
function b() { return 42; };
|
|
return b.bind(null, replace_me);
|
|
}
|
|
|
|
const outer_bind_many_args = outer_bind.toLocaleString().replace('replace_me', args);
|
|
eval(outer_bind_many_args);
|
|
%PrepareFunctionForOptimization(outer_bind);
|
|
outer_bind();
|
|
%OptimizeFunctionOnNextCall(outer_bind);
|
|
outer_bind();
|