0681deb914
This fixes a corner-case where the bytecode was using the <new.target>
register directly without going through the local variable. The value
might be clobbered because the deoptimizer doesn't properly restore the
value. The label will causes bytecode pipeline to be flushed and hence
ensure {BytecodeRegisterOptimizer} doesn't reuse <new.target> anymore.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645103
BUG=chromium:645103
Review-Url: https://codereview.chromium.org/2325133002
Cr-Commit-Position: refs/heads/master@{#39306}
18 lines
419 B
JavaScript
18 lines
419 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --ignition-staging --turbo
|
|
|
|
class Base {}
|
|
class Subclass extends Base {
|
|
constructor() {
|
|
%DeoptimizeNow();
|
|
super();
|
|
}
|
|
}
|
|
new Subclass();
|
|
new Subclass();
|
|
%OptimizeFunctionOnNextCall(Subclass);
|
|
new Subclass();
|