6115a006fd
When we set an out of bounds array index, the index might be so large that it causes the array to go to dictionary mode. It's better to avoid "learning" that this was a growing store in that case. This fix also partially reverts a fix for bug 347543, as this fix is comprehensive and satisfies that repro case as well (partial revert of v19591). BUG=349874 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/188643002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
16 lines
364 B
JavaScript
16 lines
364 B
JavaScript
// Copyright 2014 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
// The bug 349885
|
|
|
|
function foo(a) {
|
|
a[292755462] = new Object();
|
|
}
|
|
foo(new Array(5));
|
|
foo(new Array(5));
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
foo(new Array(10));
|