e121aabe39
This fixes the representation type for values in JSArray::length fields when JSNativeContextSpecialization lowers loads. Only arrays with fast elements kind are guaranteed to have a Smi represented length. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-4515 BUG=v8:4515, v8:4493, v8:4470 LOG=n Review URL: https://codereview.chromium.org/1410393006 Cr-Commit-Position: refs/heads/master@{#31558}
18 lines
442 B
JavaScript
18 lines
442 B
JavaScript
// Copyright 2015 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --turbo-filter=f
|
|
|
|
function f(array) {
|
|
return array.length >>> 0;
|
|
}
|
|
|
|
var a = new Array();
|
|
a[4000000000] = "A";
|
|
|
|
assertEquals(4000000001, f(a));
|
|
assertEquals(4000000001, f(a));
|
|
%OptimizeFunctionOnNextCall(f);
|
|
assertEquals(4000000001, f(a));
|