AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
701124db95
v8/test/mjsunit/regress/regress-crbug-694709.js
Michael Starzinger beb94c5e87 [turbofan] Fix Object.prototype.__proto__ getter reduction. 
This fixes a corner-case where the call reduction of the aforementioned
getter did not simulate the {ToObject} conversion of the receiver value
as required by the spec. This caused the wrong prototype to be constant
promoted (i.e. {null} instead of wrapper object prototype).

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-694709
BUG=chromium:694709

Change-Id: Idf3a37071949d9ddaf5ef43974570c06fd31c0c9
Reviewed-on: https://chromium-review.googlesource.com/445818
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43376}
2017-02-22 15:07:49 +00:00

14 lines
433 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turbo
function f(primitive) {
return primitive.__proto__;
}
assertEquals(Symbol.prototype, f(Symbol()));
assertEquals(Symbol.prototype, f(Symbol()));
%OptimizeFunctionOnNextCall(f);
assertEquals(Symbol.prototype, f(Symbol()));
Reference in New Issue View Git Blame Copy Permalink