AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
32e48cf510
v8/test/mjsunit/regress-952682.js
Jaroslav Sevcik 3ce92ce849 Turn off in-place field representation changes 
The problem is with element kinds transitions without going through
runtime (i.e., IC or optimizing compiler).

Bug: chromium:952682
Change-Id: I6fe2bb30a0ea6fecb8f6e0750427cc50cc50f9e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593083
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61158}
2019-05-02 11:52:20 +00:00

16 lines
343 B
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(array, x) {
array.x = x;
array[0] = undefined;
return array;
}
f([1], 1);
f([2], 1);
%HeapObjectVerify(f([3], undefined));
Reference in New Issue View Git Blame Copy Permalink