90d161ff79
Empty slow element dictionary had the sticky bit set. This bit was used to indicate that the dictionary cannot go to the fast mode either because the dictionary had elements with attributed or elements at large indices. There is no reason for the empty dictionary to have this bit set. This causes bugs in some corner cases. Bug: chromium:1003732 Change-Id: Ib29e1cda784869b9deb9361d8e6b5539f7154a38 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1833686 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#64158}
26 lines
639 B
JavaScript
26 lines
639 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
function f_1() {
|
|
var v = new Array();
|
|
v[0] = 10;
|
|
return v;
|
|
}
|
|
|
|
function test() {
|
|
var setter_called = false;
|
|
// Turn array to NumberDictionary
|
|
Array.prototype[123456789] = 42;
|
|
assertEquals(f_1().length, 1);
|
|
|
|
// Reset to empty_slow_dictionary
|
|
Array.prototype.length = 0;
|
|
|
|
// This should reset the prototype validity cell.
|
|
Array.prototype.__defineSetter__("0", function() {setter_called = true});
|
|
f_1();
|
|
assertEquals(setter_called, true);
|
|
}
|
|
test();
|