c6a16c10dd
With bytecode flushing and lazy feedback allocation, we need to call %PrepareForOptimization before we call %OptimizeFunctionOnNextCall, ideally after declaring the function. Bug: v8:8801, v8:8394, v8:9183 Change-Id: I3fb257282a30f6526a376a3afdedb44786320d34 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648255 Commit-Queue: Mathias Bynens <mathias@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#62119}
46 lines
973 B
JavaScript
46 lines
973 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
(function NoStoreBecauseReadonlyLength() {
|
|
var a = [];
|
|
Object.defineProperty(a, 'length', { writable: false });
|
|
|
|
|
|
function f() {
|
|
var o = {__proto__: a};
|
|
o.push;
|
|
};
|
|
%PrepareFunctionForOptimization(f);
|
|
f();
|
|
f();
|
|
%OptimizeFunctionOnNextCall(f);
|
|
|
|
a[0] = 1.1;
|
|
f();
|
|
assertEquals(undefined, a[0]);
|
|
})();
|
|
|
|
(function NoStoreBecauseTypedArrayProto() {
|
|
const arr_proto = [].__proto__;
|
|
const arr = [];
|
|
|
|
function f() {
|
|
const i32arr = new Int32Array();
|
|
|
|
const obj = {};
|
|
obj.__proto__ = arr;
|
|
arr_proto.__proto__ = i32arr;
|
|
obj.__proto__ = arr;
|
|
arr_proto.__proto__ = i32arr;
|
|
};
|
|
%PrepareFunctionForOptimization(f);
|
|
f();
|
|
%OptimizeFunctionOnNextCall(f);
|
|
arr[1024] = [];
|
|
f();
|
|
assertEquals(undefined, arr[1024]);
|
|
})();
|