9cdff48c4b
After the runtime call for dynamic tiering, the instance cache is
invalidated. This was assumed to be done in {SpillAllRegisters}, but the
instance is still being accessed after that call, so the instance cache
register might still be set after the runtime call.
R=ahaas@chromium.org
Bug: chromium:1179065
Change-Id: I375e7c388e5a74789050e374db50d21c2efe27e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2714544
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72958}
22 lines
664 B
JavaScript
22 lines
664 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --wasm-staging --wasm-dynamic-tiering
|
|
|
|
load('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
const builder = new WasmModuleBuilder();
|
|
builder.addMemory(1, 10);
|
|
builder.addFunction('load', kSig_i_i).addBody([
|
|
// signature: i_i
|
|
// body:
|
|
kExprLocalGet, 0, // local.get
|
|
kExprI32LoadMem, 0, 0, // i32.load_mem
|
|
]).exportFunc();
|
|
const instance = builder.instantiate();
|
|
// Call multiple times to trigger dynamic tiering.
|
|
for (let i = 0; i < 20; ++i) {
|
|
instance.exports.load(1);
|
|
}
|