Commit b11c9251 authored by jarin@chromium.org's avatar jarin@chromium.org

Disable merging simulates across captured objects.

BUG=chromium:416730
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/607453002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24225 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 3857757f
...@@ -53,6 +53,13 @@ class State : public ZoneObject { ...@@ -53,6 +53,13 @@ class State : public ZoneObject {
FlushSimulates(); FlushSimulates();
return this; return this;
} }
if (instr->IsCapturedObject()) {
// Do not merge simulates across captured objects - captured objects
// change environments during environment replay, and such changes
// would not be reflected in the simulate.
FlushSimulates();
return this;
}
// Skip the non-simulates and the first simulate. // Skip the non-simulates and the first simulate.
if (!instr->IsSimulate()) return this; if (!instr->IsSimulate()) return this;
if (first_) { if (first_) {
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var d = {x: undefined, y: undefined};
function Crash(left, right) {
var c = {
x: right.x - left.x,
y: right.y - left.y
};
return c.x * c.y;
}
var a = {x: 0.5, y: 0};
var b = {x: 1, y: 0};
for (var i = 0; i < 3; i++) Crash(a, b);
%OptimizeFunctionOnNextCall(Crash);
Crash(a, b);
Crash({x: 0, y: 0.5}, b);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment