88e538179e
Currently the same reduction is used for both TypedArray's and
DataView's byte{Length,Offset} accessors. But their behavior differ on
detached buffers: TypedArray returns 0 while DataView throw.
Do not do the optimization for DataViews if we can't depend on the
detach protector.
Bug: chromium:1344549
Change-Id: I38b533a62f756869380cb5c19fe254e03979e81a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763785
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81754}
44 lines
1.0 KiB
JavaScript
44 lines
1.0 KiB
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
// DataView.prototype.byteLength and DataView.prototype.byteOffset throw on
|
|
// detached ArrayBuffers, unlike the TypedArray.prototype counterparts. Turbofan
|
|
// should not reduce them the same way.
|
|
|
|
let ab = new ArrayBuffer();
|
|
let dv = new DataView(ab);
|
|
%ArrayBufferDetach(ab);
|
|
|
|
function TestByteLength(dv) {
|
|
let caught = 0;
|
|
for (let i = 0; i < 64; i++) {
|
|
try {
|
|
dv.byteLength;
|
|
} catch (e) {
|
|
caught++;
|
|
}
|
|
if (i == 2) %OptimizeOsr();
|
|
}
|
|
assertEquals(64, caught);
|
|
}
|
|
%PrepareFunctionForOptimization(TestByteLength);
|
|
TestByteLength(dv);
|
|
|
|
function TestByteOffset(dv) {
|
|
let caught = 0;
|
|
for (let i = 0; i < 64; i++) {
|
|
try {
|
|
dv.byteOffset;
|
|
} catch (e) {
|
|
caught++;
|
|
}
|
|
if (i == 2) %OptimizeOsr();
|
|
}
|
|
assertEquals(64, caught);
|
|
}
|
|
%PrepareFunctionForOptimization(TestByteOffset);
|
|
TestByteOffset(dv);
|