c90353e3c7
The named LoadIC code was missing a check for "names" that convert to TypedArray indices. This was flushed out by the recent bump of the max TypedArray size from 2^32-1 to 2^32. Named StoreICs had the same bug; fixed here as well. Bug: v8:4153 Fixed: chromium:1104608 Change-Id: I6bd2552d6ccc238104f92e7b95d19970d4a75dae Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2295606 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#68840}
31 lines
747 B
JavaScript
31 lines
747 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --multi-mapped-mock-allocator
|
|
|
|
const kSize = 4294967296;
|
|
// Skip this test on 32-bit platforms.
|
|
if (%TypedArrayMaxLength() >= kSize) {
|
|
const array = new Uint8Array(kSize);
|
|
|
|
function f() {
|
|
let result = array["4294967295"];
|
|
assertEquals(0, result);
|
|
}
|
|
|
|
function g() {
|
|
array["4294967295"] = 1;
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(f);
|
|
for (var i = 0; i < 3; i++) f();
|
|
%OptimizeFunctionOnNextCall(f);
|
|
f();
|
|
|
|
%PrepareFunctionForOptimization(g);
|
|
for (var i = 0; i < 3; i++) g();
|
|
%OptimizeFunctionOnNextCall(g);
|
|
g();
|
|
}
|