471893ccec
GenerateSmiToDouble on ia32 assumes that it is called from a JSFrame and can restore the context from the StandardFrameConstants::kContextObject. In the case of the interpreter it is called from a interpreter handler stub frame which doesn't push the context onto it's frame. Instead, push and pop esi to explicitly restore it correctly. BUG=chromium:612386 Review-Url: https://codereview.chromium.org/2011313003 Cr-Commit-Position: refs/heads/master@{#36649}
30 lines
699 B
JavaScript
30 lines
699 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --no-inline-new
|
|
|
|
function keyed_store(obj, key, value) {
|
|
obj[key] = value;
|
|
}
|
|
|
|
function foo() {
|
|
obj = {};
|
|
obj.smi = 1;
|
|
obj.dbl = 1.5;
|
|
obj.obj = {a:1};
|
|
|
|
// Transition keyed store IC to polymorphic.
|
|
keyed_store(obj, "smi", 100);
|
|
keyed_store(obj, "dbl", 100);
|
|
keyed_store(obj, "obj", 100);
|
|
|
|
// Now call with a FAST_SMI_ELEMENTS object.
|
|
var smi_array = [5, 1, 1];
|
|
keyed_store(smi_array, 1, 6);
|
|
// Transition from FAST_SMI_ELEMENTS to FAST_DOUBLE_ELEMENTS.
|
|
keyed_store(smi_array, 2, 1.2);
|
|
}
|
|
|
|
foo();
|