b61335513a
We use StoreOwnIC to initialize the object after creating a new object with CreateObjectLiteral. CreateObjectLiteral stores kHoleNaNInt64 to indicate an uninitialized double field. When we actually try to store a NaN value into that field later using StoreOwnIC, IC avoids actually storing the new value since the existing value is "same as" the value we try to write. The float comparison treats all NaNs as equal. In this particular case, we should actually store the new value since kHoleNaNInt64 value is used to represent an uninitialized field. This cl just stores the new value even when the existing value is same as the new value for double fields. The check is still required to correctly track const fields. Bug: chromium:1082293 Change-Id: Ib37061802f2403545cffa6d6fef08be074b0825d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2228886 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#68167}
19 lines
500 B
JavaScript
19 lines
500 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function f() {
|
|
let buffer = new ArrayBuffer(8);
|
|
let a32 = new Float32Array(buffer);
|
|
let a8 = new Uint32Array(buffer);
|
|
let a = { value: NaN };
|
|
Object.defineProperty(a32, 0, { value: NaN });
|
|
return a8[0];
|
|
}
|
|
|
|
let value = f();
|
|
%EnsureFeedbackVectorForFunction(f);
|
|
assertEquals(value, f());
|