5ef88462f9
If the runtime does not transition in keyed store IC miss handler, avoid generating transitioning handler since this could make the receiver map non-stable. (The optimizing compiler does not like non-stable fast prototype maps.) Bug: chromium:950328 Change-Id: I113880d2033518e3eb8fd11df1599e56a67d7fd0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559867 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#60752}
46 lines
900 B
JavaScript
46 lines
900 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
(function NoStoreBecauseReadonlyLength() {
|
|
var a = [];
|
|
Object.defineProperty(a, 'length', { writable: false });
|
|
|
|
|
|
function f() {
|
|
var o = { __proto__ : a };
|
|
o.push;
|
|
}
|
|
|
|
f();
|
|
f();
|
|
%OptimizeFunctionOnNextCall(f);
|
|
|
|
a[0] = 1.1;
|
|
f();
|
|
assertEquals(undefined, a[0]);
|
|
})();
|
|
|
|
(function NoStoreBecauseTypedArrayProto() {
|
|
const arr_proto = [].__proto__;
|
|
const arr = [];
|
|
|
|
function f() {
|
|
const i32arr = new Int32Array();
|
|
|
|
const obj = {};
|
|
obj.__proto__ = arr;
|
|
arr_proto.__proto__ = i32arr;
|
|
obj.__proto__ = arr;
|
|
arr_proto.__proto__ = i32arr;
|
|
}
|
|
|
|
f();
|
|
%OptimizeFunctionOnNextCall(f);
|
|
arr[1024] = [];
|
|
f();
|
|
assertEquals(undefined, arr[1024]);
|
|
})();
|