Commit aa302056 authored by Benedikt Meurer's avatar Benedikt Meurer Committed by Commit Bot

[turbofan] Properly test number of descriptors.

When peeking into descriptor arrays (for Function.prototype.bind
inlining), we need to check the number of descriptors rather than
the length of the DescriptorArray.

Bug: chromium:825045
Change-Id: I55dbe1544e5e4cb8e23d873961c71ed12294d89c
Reviewed-on: https://chromium-review.googlesource.com/991812Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52315}
parent fe65d6c8
...@@ -424,7 +424,7 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) { ...@@ -424,7 +424,7 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
// runtime otherwise. // runtime otherwise.
Handle<DescriptorArray> descriptors(receiver_map->instance_descriptors(), Handle<DescriptorArray> descriptors(receiver_map->instance_descriptors(),
isolate()); isolate());
if (descriptors->length() < 2) return NoChange(); if (descriptors->number_of_descriptors() < 2) return NoChange();
if (descriptors->GetKey(JSFunction::kLengthDescriptorIndex) != if (descriptors->GetKey(JSFunction::kLengthDescriptorIndex) !=
isolate()->heap()->length_string()) { isolate()->heap()->length_string()) {
return NoChange(); return NoChange();
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const obj = new class A extends (async function (){}.constructor) {};
delete obj.name;
Number.prototype.__proto__ = obj;
function foo() { return obj.bind(); }
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment