9fa7ce514e
Fuzzing found a problem with --turbo-optimize-apply when the Array.prototype iterator is replaced with a generator function. We can the issue by installing a protector on the array iterator. This CL also defines the --turbo-optimize-apply as 'future' to get more test coverage. Bug: v8:9974 Change-Id: Id5bc68fde98ea5d1f6a951c4381ca6283b892632 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2966058 Commit-Queue: Paolo Severini <paolosev@microsoft.com> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#75197}
56 lines
1.7 KiB
JavaScript
56 lines
1.7 KiB
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --turbo-optimize-apply --opt
|
|
|
|
// These tests do not work well if this script is run more than once (e.g.
|
|
// --stress-opt); after a few runs the whole function is immediately compiled
|
|
// and assertions would fail. We prevent re-runs.
|
|
// Flags: --nostress-opt --no-always-opt
|
|
|
|
// Some of the tests rely on optimizing/deoptimizing at predictable moments, so
|
|
// this is not suitable for deoptimization fuzzing.
|
|
// Flags: --deopt-every-n-times=0
|
|
|
|
// Test for optimization of CallWithSpread when the array iterator is replaced
|
|
// with a generator function and the array in empty.
|
|
//
|
|
// Note: this test must be in a separate file because the test invalidates a
|
|
// protector, which then remains invalidated.
|
|
(function () {
|
|
"use strict";
|
|
|
|
// This invalidates the DependOnArrayIteratorProtector.
|
|
Object.defineProperty(Array.prototype, Symbol.iterator, {
|
|
value: function* () {
|
|
yield 42;
|
|
},
|
|
});
|
|
|
|
var log_got_interpreted = true;
|
|
|
|
function log(a) {
|
|
assertEquals(1, arguments.length);
|
|
log_got_interpreted = %IsBeingInterpreted();
|
|
return a;
|
|
}
|
|
function foo() {
|
|
return log(...[]);
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(log);
|
|
%PrepareFunctionForOptimization(foo);
|
|
assertEquals(42, foo());
|
|
assertTrue(log_got_interpreted);
|
|
|
|
// Compile foo.
|
|
%OptimizeFunctionOnNextCall(log);
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
assertEquals(42, foo());
|
|
// The call with spread should not have been inlined, because of the
|
|
// generator/iterator.
|
|
assertFalse(log_got_interpreted);
|
|
assertOptimized(foo);
|
|
})();
|