2425885552
Bug: v8:8801,v8:8394,v8:9183 Change-Id: I5ceaf731a1b2720f086e6791fe08caaaa55de030 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662568 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Auto-Submit: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#62224}
22 lines
656 B
JavaScript
22 lines
656 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
var boom = (function(stdlib, foreign, heap) {
|
|
"use asm";
|
|
var MEM8 = new stdlib.Uint8Array(heap);
|
|
var MEM32 = new stdlib.Int32Array(heap);
|
|
function foo(i, j) {
|
|
j = MEM8[256];
|
|
// This following value '10' determines the value of 'rax'
|
|
MEM32[j >> 10] = 0xabcdefaa;
|
|
return MEM32[j >> 2] + j
|
|
}
|
|
return foo
|
|
})(this, 0, new ArrayBuffer(256));
|
|
%PrepareFunctionForOptimization(boom);
|
|
%OptimizeFunctionOnNextCall(boom);
|
|
boom(0, 0x1000);
|