863bc2b88a
Previously, StoreStoreElimination handled allocations as "can observe anything". This is pretty conservative and prohibits elimination of repeated double stores to the same field. With this CL allocations are changed to "observes initializing or transitioning stores". This way it is guaranteed that initializing stores to a freshly created object or stores that are part of a map transition are not eliminated before allocations (that can trigger GC), but allows elimination of non-initializing, non-transitioning, unobservable stores in the presence of allocations. Bug: v8:12200 Change-Id: Ie1419696b9c8cb7c39aecf38d9f08102177b2c0f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3295449 Commit-Queue: Patrick Thier <pthier@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/main@{#78230}
30 lines
678 B
JavaScript
30 lines
678 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --verify-heap --turbo-store-elimination
|
|
|
|
// Check that transitioning stores are not eliminated.
|
|
|
|
let obj = { a: 42 }
|
|
|
|
function foo() {
|
|
// Force GC on the next allocation to trigger heap verification.
|
|
%SimulateNewspaceFull();
|
|
|
|
// Transitioning store. Must not be eliminated.
|
|
this.f = obj;
|
|
|
|
this.f = {
|
|
a: 43
|
|
};
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(foo);
|
|
var a;
|
|
a = new foo();
|
|
a = new foo();
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
a = new foo();
|
|
assertEquals(43, a.f.a);
|