6288483b65
Various field dependencies assume that the receiver map and the field owner map agree on field meta data. That's not necessarily true when the receiver map is already deprecated. We should skip over deprecated maps. - Fix a bug in SerializerForBackgroundCompilation. It used to process even deprecated maps. - Fix a bug in FilterRelevantReceiverMaps. It used to store the original map rather than the new version. - Turn some compilation dependency DCHECKs into CHECKs. - CHECK in MapRef::FindFieldOwner that the map is not deprecated. While there might be valid use cases for calling the underlying Map::FindFieldOwner on a deprecated map, we never want to do that in the compiler. Note that we skip any deprecated maps in JSNativeContextSpecialization's ReduceNamedAccess. That's why I believe the issue could only be observed with --concurrent-inlining and only in the form of a failing DCHECK. Bug: chromium:1221812, v8:7790 Change-Id: I998b4ce1954be01eb6e0feb491ccc6b8306c685f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2976655 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#75294}
25 lines
572 B
JavaScript
25 lines
572 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function C(a, b) {
|
|
this.a = a;
|
|
this.b = b;
|
|
}
|
|
|
|
var c = new C(42, 4.2);
|
|
var cc = new C(4.2, 42);
|
|
|
|
function foo() { return cc.a }
|
|
|
|
%PrepareFunctionForOptimization(foo);
|
|
assertEquals(4.2, foo());
|
|
|
|
// Transition representation of 'a' from Double to Tagged.
|
|
Object.defineProperty(c, 'a', { value: undefined });
|
|
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
assertEquals(4.2, foo());
|