d6752d94a8
The EscapeStatusAnalysis didn't know anything about the simplified operator ConvertTaggedHoleToUndefined, thus leading to a crash. We now just handled it by pretending that any allocation that goes into such a node escapes. BUG=chromium:669451 R=tebbi@chromium.org Review-Url: https://codereview.chromium.org/2533263002 Cr-Commit-Position: refs/heads/master@{#41359}
16 lines
390 B
JavaScript
16 lines
390 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function foo() {
|
|
var a = [,];
|
|
a[0] = {}
|
|
a[0].toString = FAIL;
|
|
}
|
|
try { foo(); } catch (e) {}
|
|
try { foo(); } catch (e) {}
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
try { foo(); } catch (e) {}
|