800c294cf1
For keyed stores we recompute handlers based on the receiver maps we have seen. This is done so that we can transition to the most generic elements kind we have seen so far. When we recompute this handlers we get a new prototype validity cell and ignore the existing cell. This leads to incorrect behaviour if the cell was invalid. Recomputing the handler may be extra work which is not worth doing at this point. So we just reuse the existing validity cell and let the IC recompute the handler if we see the map again. Bug: chromium:1053939 Change-Id: Ifc891d70f5a4b8b774238e12fb40e29b4d174e37 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2122032 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#66963}
17 lines
409 B
JavaScript
17 lines
409 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --no-lazy-feedback-allocation
|
|
|
|
|
|
function foo(a, b) {
|
|
a[b] = 1;
|
|
return a[b];
|
|
}
|
|
v = [];
|
|
assertEquals(foo(v, 1), 1);
|
|
v.__proto__.__proto__ = new Int32Array();
|
|
assertEquals(foo(Object(), 1), 1);
|
|
assertEquals(foo(v, 2), undefined);
|