Commit 3f3558f3 authored by jarin's avatar jarin Committed by Commit bot

Convert to immutable heap number when materializing arguments object.

BUG=chromium:457935
LOG=n
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/935623002

Cr-Commit-Position: refs/heads/master@{#26704}
parent a39530e4
......@@ -3288,8 +3288,13 @@ SlotRefValueBuilder::SlotRefValueBuilder(JavaScriptFrame* frame,
Handle<Object> SlotRef::GetValue(Isolate* isolate) {
switch (representation_) {
case TAGGED:
return Handle<Object>(Memory::Object_at(addr_), isolate);
case TAGGED: {
Handle<Object> value(Memory::Object_at(addr_), isolate);
if (value->IsMutableHeapNumber()) {
HeapNumber::cast(*value)->set_map(isolate->heap()->heap_number_map());
}
return value;
}
case INT32: {
#if V8_TARGET_BIG_ENDIAN && V8_HOST_ARCH_64_BIT
......@@ -3390,9 +3395,9 @@ Handle<Object> SlotRefValueBuilder::GetNext(Isolate* isolate, int lvl) {
case SlotRef::INT32:
case SlotRef::UINT32:
case SlotRef::DOUBLE:
case SlotRef::LITERAL: {
case SlotRef::LITERAL:
return slot.GetValue(isolate);
}
case SlotRef::ARGUMENTS_OBJECT: {
// We should never need to materialize an arguments object,
// but we still need to put something into the array
......
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function dummy(x) { };
function g() {
return g.arguments;
}
function f(limit) {
var i = 0;
var o = {};
for (; i < limit; i++) {
o.y = +o.y;
g();
}
}
f(1);
f(1);
%OptimizeFunctionOnNextCall(f);
dummy(f(1));
dummy(f(2));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment