v8/test/mjsunit/regress/regress-crbug-599073-2.js
bmeurer 6df9a22c3f [ic] Use the CallFunction builtin to invoke accessors.
The HandlerCompiler did not properly handle the weird edge case when a
sloppy mode function was installed as an accessor on one of the value
wrapper prototypes and then accessed via a load from a primitive value.
In this case we just passed the primitive value untouched instead of
properly wrapping it first. The CallFunction builtin properly deals with
all the funny edge cases, so we use it instead of duplicating almost all
of the logic here (the performance difference is neglible).

R=verwaest@chromium.org
BUG=chromium:599073, v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1845243005

Cr-Commit-Position: refs/heads/master@{#35187}
2016-04-01 06:37:57 +00:00

12 lines
298 B
JavaScript

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Object.defineProperty(Boolean.prototype, "v", {set:constructor});
function foo(b) { b.v = 1; }
foo(true);
foo(true);
foo(true);