AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
30be479711
v8/test/mjsunit/regress/regress-crbug-714872.js
Adam Klein 86aa7960cc Revert behavioral part of 84dc8ed4c3 
Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.

Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}
2017-04-26 20:56:30 +00:00

9 lines
230 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {}
f.prototype = 1;
f.foo = 1;
f.prototype = {};
Reference in New Issue View Git Blame Copy Permalink