0188a33c78
... by making sure we deopt when the buffer is detached. Bug: chromium:1074736 Change-Id: I86e4e63014767766d7c079c3a3e38d947c76ef10 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168874 Commit-Queue: Georg Neis <neis@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#67437}
18 lines
448 B
JavaScript
18 lines
448 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
var arr = new Uint8Array();
|
|
%ArrayBufferDetach(arr.buffer);
|
|
|
|
function foo() {
|
|
return arr[Symbol.iterator]();
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(foo);
|
|
assertThrows(foo, TypeError);
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
assertThrows(foo, TypeError);
|