From b7a7959fce4bf3c51155f3c83a0249323849d127 Mon Sep 17 00:00:00 2001 From: Ali Ijaz Sheikh Date: Thu, 13 Dec 2018 20:39:13 -0800 Subject: [PATCH] deps: V8: cherry-pick 52a9e67 Original commit message: [turbofan] Fix ObjectCreate's side effect annotation. Bug: chromium:888923 Change-Id: Ifb22cd9b34f53de3cf6e47cd92f3c0abeb10ac79 Reviewed-on: https://chromium-review.googlesource.com/1245763 Reviewed-by: Benedikt Meurer Commit-Queue: Jaroslav Sevcik Cr-Commit-Position: refs/heads/master@{#56236} Refs: https://github.com/v8/v8/commit/52a9e67a477bdb67ca893c25c145ef5191976220 --- common.gypi | 2 +- deps/v8/src/compiler/js-operator.cc | 2 +- .../test/mjsunit/compiler/regress-888923.js | 31 +++++++++++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 deps/v8/test/mjsunit/compiler/regress-888923.js diff --git a/common.gypi b/common.gypi index e2295ee35de832..ba444e1429f856 100644 --- a/common.gypi +++ b/common.gypi @@ -33,7 +33,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.45', + 'v8_embedder_string': '-node.46', # Enable disassembler for `--print-code` v8 options 'v8_enable_disassembler': 1, diff --git a/deps/v8/src/compiler/js-operator.cc b/deps/v8/src/compiler/js-operator.cc index 04feec6827aad0..8dedd68d946032 100644 --- a/deps/v8/src/compiler/js-operator.cc +++ b/deps/v8/src/compiler/js-operator.cc @@ -598,7 +598,7 @@ CompareOperationHint CompareOperationHintOf(const Operator* op) { V(CreateKeyValueArray, Operator::kEliminatable, 2, 1) \ V(CreatePromise, Operator::kEliminatable, 0, 1) \ V(CreateTypedArray, Operator::kNoProperties, 5, 1) \ - V(CreateObject, Operator::kNoWrite, 1, 1) \ + V(CreateObject, Operator::kNoProperties, 1, 1) \ V(ObjectIsArray, Operator::kNoProperties, 1, 1) \ V(HasProperty, Operator::kNoProperties, 2, 1) \ V(HasInPrototypeChain, Operator::kNoProperties, 2, 1) \ diff --git a/deps/v8/test/mjsunit/compiler/regress-888923.js b/deps/v8/test/mjsunit/compiler/regress-888923.js new file mode 100644 index 00000000000000..e352673b7d933d --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-888923.js @@ -0,0 +1,31 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +(function() { + function f(o) { + o.x; + Object.create(o); + return o.y.a; + } + + f({ x : 0, y : { a : 1 } }); + f({ x : 0, y : { a : 2 } }); + %OptimizeFunctionOnNextCall(f); + assertEquals(3, f({ x : 0, y : { a : 3 } })); +})(); + +(function() { + function f(o) { + let a = o.y; + Object.create(o); + return o.x + a; + } + + f({ x : 42, y : 21 }); + f({ x : 42, y : 21 }); + %OptimizeFunctionOnNextCall(f); + assertEquals(63, f({ x : 42, y : 21 })); +})();