0b4b14bc48
Avoid writing NumberOfElements to HashTable when it hasn't changed as the HashTable could be in RO_SPACE and this operation will crash. Bug: v8:841592 Change-Id: Iffadd567fc10aa9cd13d953da81275464b16c6c0 Reviewed-on: https://chromium-review.googlesource.com/1052693 Commit-Queue: Dan Elphick <delphick@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#53116}
22 lines
629 B
JavaScript
22 lines
629 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// a has packed SMI elements
|
|
a = [];
|
|
|
|
// a has dictionary elements
|
|
a.length = 0xFFFFFFF;
|
|
|
|
// a has dictionary elements and the backing array is
|
|
// empty_slow_element_dictionary (length 0)
|
|
a.length = 0;
|
|
|
|
// a has dictionary elements and the backing array is
|
|
// empty_slow_element_dictionary (length 0xFFFFFFF)
|
|
a.length = 0xFFFFFFF;
|
|
|
|
// This will crash if V8 attempts to remove 0 elements from
|
|
// empty_slow_element_dictionary as it is in RO_SPACE.
|
|
a.length = 1;
|