From a701715283a0cf0d8e663913c4bb30a15a22e6b3 Mon Sep 17 00:00:00 2001 From: Jaroslav Sevcik Date: Tue, 7 May 2019 10:53:49 +0200 Subject: [PATCH] Merged: Turn off in-place field representation changes Revision: 3ce92ce8499a512e15c8ee26c83e4c2c27e3b056 BUG=chromium:952682 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bmeurer@chromium.org Change-Id: I42907c53d6d227c37af43408b341d675c84181e2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1598752 Reviewed-by: Benedikt Meurer Commit-Queue: Jaroslav Sevcik Cr-Commit-Position: refs/branch-heads/7.5@{#24} Cr-Branched-From: 35b9bf5cf697b1c0fe4313c1313782d626d2afaa-refs/heads/7.5.288@{#1} Cr-Branched-From: 912b3912b4fc294083fadcac672571bb43c2f37e-refs/heads/master@{#60911} --- src/flag-definitions.h | 2 +- test/mjsunit/regress-952682.js | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress-952682.js diff --git a/src/flag-definitions.h b/src/flag-definitions.h index 12b9435622e..da33cd170d5 100644 --- a/src/flag-definitions.h +++ b/src/flag-definitions.h @@ -1048,7 +1048,7 @@ DEFINE_BOOL_READONLY(track_constant_fields, true, "enable constant field tracking") DEFINE_BOOL_READONLY(fast_map_update, false, "enable fast map update by caching the migration target") -DEFINE_BOOL(modify_field_representation_inplace, true, +DEFINE_BOOL(modify_field_representation_inplace, false, "enable in-place field representation updates") DEFINE_INT(max_polymorphic_map_count, 4, "maximum number of maps to track in POLYMORPHIC state") diff --git a/test/mjsunit/regress-952682.js b/test/mjsunit/regress-952682.js new file mode 100644 index 00000000000..dd0e687bf09 --- /dev/null +++ b/test/mjsunit/regress-952682.js @@ -0,0 +1,15 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function f(array, x) { + array.x = x; + array[0] = undefined; + return array; +} + +f([1], 1); +f([2], 1); +%HeapObjectVerify(f([3], undefined));