3a401f3b51
A JSFunction object may count as 'ObjectMayBeUninitialized', yet still be safe to read for other reasons (e.g. because it has been loaded through a chain of acquire-loads and immutable-after-initialization guarantees). Bug: chromium:1235071,v8:7790 Change-Id: I18c81695f001fd67e69d98dde641b71ed7b7e53d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3064606 Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#76031}
15 lines
485 B
JavaScript
15 lines
485 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --noanalyze-environment-liveness --interrupt-budget=1000 --allow-natives-syntax
|
|
|
|
function __f_4() {
|
|
var __v_3 = function() {};
|
|
var __v_5 = __v_3.prototype;
|
|
Number.prototype.__proto__ = __v_3;
|
|
__v_5, __v_3.prototype;
|
|
}
|
|
%PrepareFunctionForOptimization(__f_4);
|
|
for (let i = 0; i < 100; i++) __f_4();
|