489e7deb7e
Since the mutability of HeapNumbers is determined by their owning object's descriptor array, we can remove the MutableHeapNumber type entirely, at the cost of a few fewer DCHECKs and a couple of TODOs to use the descriptor array information. This is a necessary step towards a follow-up which allows in-place Double -> Tagged transitions Design doc: https://docs.google.com/document/d/1VeKIskAakxQFnUBNkhBmVswgR7Vk6T1kAyKRLhqerb4/ Bug: v8:9606 Change-Id: I13209f9c86f1f204088f6fd80089e17d956b4a50 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743972 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#63294}
15 lines
539 B
JavaScript
15 lines
539 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Previously, spreading in-object properties would always treat double fields
|
|
// as tagged, potentially dereferencing a Float64.
|
|
|
|
// Ensure that we don't fail an assert from --verify-heap when cloning a
|
|
// HeapNumber in the CloneObjectIC handler case.
|
|
var src, clone;
|
|
for (var i = 0; i < 40000; i++) {
|
|
src = { ...i, x: -9007199254740991 };
|
|
clone = { ...src };
|
|
}
|