AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
97eff73b71
v8/test/mjsunit/regress/regress-666046.js
Frank Emrich 527754fbae [dict-proto] Constness tracking of dictionary properties (jitless) 
For dictionary mode objects, whether or not a property is constant was
not tracked before. This CL makes the required non-Turbofan changes,
guarded behind the new flag V8_DICT_PROPERTY_CONST_TRACKING.

In addition, prototypes are not converted to fast mode objects if this
flags is enabled.

Bug: v8:11247
Change-Id: Ia5942733239a97560b6efc015f0e25a35fea3d7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2566757
Commit-Queue: Frank Emrich <emrich@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72524}
2021-02-04 11:42:33 +00:00

62 lines
1.2 KiB
JavaScript
Raw Blame History

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc
function P() {
this.a0 = {};
this.a1 = {};
this.a2 = {};
this.a3 = {};
this.a4 = {};
}
function A() {
}
var proto = new P();
A.prototype = proto;
function foo(o) {
return o.a0;
}
// Ensure |proto| is in old space.
gc();
gc();
gc();
// Ensure |proto| is marked as "should be fast".
var o = new A();
%EnsureFeedbackVectorForFunction(foo);
foo(o);
foo(o);
foo(o);
assertEquals(!%IsDictPropertyConstTrackingEnabled(),
%HasFastProperties(proto));
// Contruct a double value that looks like a tagged pointer.
var buffer = new ArrayBuffer(8);
var int32view = new Int32Array(buffer);
var float64view = new Float64Array(buffer);
int32view[0] = int32view[1] = 0x40000001;
var boom = float64view[0];
// Write new space object.
proto.a4 = {a: 0};
// Immediately delete the field.
delete proto.a4;
// |proto| must sill be fast.
assertEquals(!%IsDictPropertyConstTrackingEnabled(),
%HasFastProperties(proto));
// Add a double field instead of deleted a4 that looks like a tagged pointer.
proto.boom = boom;
// Boom!
gc();
Reference in New Issue View Git Blame Copy Permalink