1ec7ffedc8
In reducers, we should avoid reductions of the form ReduceWithValue(node, replacement) return Replace(node) because such reduction does not kill the original node, so it may become subject to resurrection from some side table (in the bug referenced below it was load elimination's side table). Instead, we should use ReduceWithValue(node, replacement) return Replace(replacement) Bug: chromium:945644 Change-Id: Id210efe0d214a53241392d30b7f0eee8e7515e2a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545229 Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#60517}
24 lines
550 B
JavaScript
24 lines
550 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function f(v5,v6) {
|
|
const v16 = [1337,1337,-765470.5051836492];
|
|
let v19 = 0;
|
|
do {
|
|
const v20 = v19 + 1;
|
|
const v22 = Math.fround(v20);
|
|
v19 = v22;
|
|
const v23 = [v20, v22];
|
|
function v24() { v20; v22; }
|
|
const v33 = v16.indexOf(v19);
|
|
} while (v19 < 6);
|
|
}
|
|
|
|
f();
|
|
Array.prototype.push(8);
|
|
%OptimizeFunctionOnNextCall(f);
|
|
f();
|