Commit a10689db authored by Mike Stanton's avatar Mike Stanton Committed by Commit Bot

[Builtins] Eliminate the fast path in constructor entries

The initial fast array may change, invalidating assumptions.

Bug: chromium:798026
Change-Id: Iddcc40867221a2a58aef33b64e7399e0f2784e89
Reviewed-on: https://chromium-review.googlesource.com/850356
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50363}
parent 971875ca
......@@ -162,13 +162,9 @@ void BaseCollectionsAssembler::AddConstructorEntries(
TNode<BoolT> is_fast_jsarray) {
Label exit(this), slow_loop(this, Label::kDeferred);
GotoIf(IsNullOrUndefined(initial_entries), &exit);
GotoIfNot(is_fast_jsarray, &slow_loop);
AddConstructorEntriesFromFastJSArray(variant, context, collection,
UncheckedCast<JSArray>(initial_entries));
Goto(&exit);
BIND(&slow_loop);
// TODO(mvstanton): Re-enable the fast path when a fix is found for
// crbug.com/798026.
{
AddConstructorEntriesFromIterable(variant, context, native_context,
collection, initial_entries);
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --expose-gc
array = new Array(4 * 1024 * 1024);
Set.prototype.add = value => {
if (array.length != 1) {
array.length = 1;
gc();
}
}
new Set(array);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment