From aae24ae40b0ac354694f51d483fe0bcbd8c35d4d Mon Sep 17 00:00:00 2001 From: "jkummerow@chromium.org" Date: Mon, 16 Jun 2014 08:41:29 +0000 Subject: [PATCH] Fix representation of Phis for mutable-heapnumber-in-object-literal properties BUG=v8:3392 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/328343004 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21850 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen.cc | 2 +- test/mjsunit/regress/regress-3392.js | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-3392.js diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 658cc5c..c75046d 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -11010,7 +11010,7 @@ void HOptimizedGraphBuilder::BuildEmitInObjectProperties( // 1) it's a child object of another object with a valid allocation site // 2) we can just use the mode of the parent object for pretenuring HInstruction* double_box = - Add(heap_number_constant, HType::HeapNumber(), + Add(heap_number_constant, HType::HeapObject(), pretenure_flag, HEAP_NUMBER_TYPE); AddStoreMapConstant(double_box, isolate()->factory()->heap_number_map()); diff --git a/test/mjsunit/regress/regress-3392.js b/test/mjsunit/regress/regress-3392.js new file mode 100644 index 0000000..375f302 --- /dev/null +++ b/test/mjsunit/regress/regress-3392.js @@ -0,0 +1,18 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo() { + var a = {b: -1.5}; + for (var i = 0; i < 1; i++) { + a.b = 1; + } + assertTrue(0 <= a.b); +} + +foo(); +foo(); +%OptimizeFunctionOnNextCall(foo); +foo(); -- 2.7.4