732f394c5d
StaGlobal didn't write the accumulator, but the baseline implementation assumed that it could preserve the accumulator by taking the return value of the StoreGlobalIC. This almost always worked, except for setters on the global object. Fix this by marking StaGlobal as clobbering the accumulator, same as StaNamedProperty (StaNamedProperty needs to do this anyway to avoid inlined setters from needing to create accumulator-preserving frames; StaGlobal would have needed the same thing if we'd ever inlined setters for it). Also, add a new debug scope, EnsureAccumulatorPreservedScope, to the baseline compiler, which checks if the accumulator value is preserved across non-accumulator-writing bytecodes. This found a (benign) bug with ForInPrepare, so fix that too. Fixed: chromium:1242306 Change-Id: I220b5b1c41010c16ac9f944cbd55d2705c299434 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122325 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/main@{#76525}
21 lines
530 B
JavaScript
21 lines
530 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --allow-natives-syntax --sparkplug
|
|
|
|
function foo(){
|
|
// __proto__ is a setter that is defined to return undefined.
|
|
return __proto__ = 5;
|
|
}
|
|
assertEquals(foo(), 5);
|
|
assertEquals(foo(), 5);
|
|
|
|
%EnsureFeedbackVectorForFunction(foo);
|
|
assertEquals(foo(), 5);
|
|
assertEquals(foo(), 5);
|
|
|
|
%CompileBaseline(foo);
|
|
assertEquals(foo(), 5);
|
|
assertEquals(foo(), 5);
|