d922171717
There were four places where we did essentially the same steps in order to extract the initial map for inlining a JSCreate operation. This CL creates a function on NodeProperties for this task. As a side effect, this fixes a bug in ReduceJSCreateArray, where has_initial_map could get called when it wasn't permissible to do so. Notes: For simplicity, in one or two places where we used to get the target/newtarget constants from the types we now get them from HeapConstant nodes. Cosmetic change: rename "receiver_map" to the more accurate "root_map" in JSNativeContextSpecialization::ExtractReceiverMaps. Bug: chromium:939316 Change-Id: I8fd9eb50993be3d839ab9b18eeea28184c53eabf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1528435 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#60301}
40 lines
659 B
JavaScript
40 lines
659 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
(function JSCreate() {
|
|
function f(arg) {
|
|
const o = Reflect.construct(Object, arguments, Proxy);
|
|
o.foo = arg;
|
|
}
|
|
|
|
function g(i) {
|
|
f(i);
|
|
}
|
|
|
|
g(0);
|
|
g(1);
|
|
%OptimizeFunctionOnNextCall(g);
|
|
g(2);
|
|
})();
|
|
|
|
|
|
(function JSCreateArray() {
|
|
function f() {
|
|
try {
|
|
const o = Reflect.construct(Array, arguments, parseInt);
|
|
} catch(e) { }
|
|
}
|
|
|
|
function g() {
|
|
f();
|
|
}
|
|
|
|
g();
|
|
g();
|
|
%OptimizeFunctionOnNextCall(g);
|
|
g();
|
|
})();
|