e8c823763a
A "store own" slow runtime was missing, and the slow handler on the StoreOwnIC was using the non-own slow runtime function, incorrectly causing setters to be called. For baseline, [1] invalidates the invariant that StoreOwnIC is only used for storing properties already in the literal boilerplate, since it's also used when the new literal is cloned from an object spread. [1] https://chromium-review.googlesource.com/c/v8/v8/+/3224666 Bug: chromium:1263389, v8:11429 Change-Id: I0284396f306f937d1b8ff96adda6cc133c19726a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244308 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#77591}
22 lines
578 B
JavaScript
22 lines
578 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// This is testing a regression a slow store IC handler, so force allocation of
|
|
// type feedback vectors.
|
|
//
|
|
// Flags: --no-lazy-feedback-allocation
|
|
|
|
function crash() { assertTrue(false); }
|
|
Object.prototype.__defineSetter__("crashOnSet", crash);
|
|
|
|
function test() {
|
|
const o = { a: 1 };
|
|
return { ...o, crashOnSet: 42 };
|
|
}
|
|
|
|
// Run once to install the slow IC handler.
|
|
test();
|
|
// Hit the slow handler.
|
|
test();
|