c34a29549f
This ensures the JSFunction objects materialized by the deoptimizer have the correct instance size (depending on the given map). There are corner cases where the instance size might vary due to in-object properties. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-772610 BUG=chromium:772610 Change-Id: I4808c7260db1adbd1cdc3871c2a946475e4934f2 Reviewed-on: https://chromium-review.googlesource.com/707109 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#48383}
19 lines
438 B
JavaScript
19 lines
438 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --verify-heap --expose-gc
|
|
|
|
function f() {
|
|
var o = [{
|
|
[Symbol.toPrimitive]() {}
|
|
}];
|
|
%_DeoptimizeNow();
|
|
return o.length;
|
|
}
|
|
assertEquals(1, f());
|
|
assertEquals(1, f());
|
|
%OptimizeFunctionOnNextCall(f);
|
|
assertEquals(1, f());
|
|
gc();
|