v8/test/mjsunit/regress/regress-1167709-2.js
Jakob Gruber 47135e0368 [compiler] Don't iterate past end of StateValuesAccess iterator
StateValuesAccess iterates over actual (non-adapted) arguments, thus
we must be careful not to iterate past their end when handling rest
args and advancing through the initial non-rest-args.

Tbr: neis@chromium.org
Bug: chromium:1167709,chromium:1166136
Change-Id: If506050a5518f394e0dcdbf39840b99923d4cbae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2637213
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72145}
2021-01-19 09:46:13 +00:00

19 lines
449 B
JavaScript

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
function __f_0() {
}
function __f_3( __v_7, ...__v_8) {
return new __f_0( ...__v_8);
}
function __f_5() {
__f_3();
}
%PrepareFunctionForOptimization(__f_5);
__f_5();
%OptimizeFunctionOnNextCall(__f_5);
__f_5();