AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
49f1450b3f
v8/test/mjsunit/regress/regress-crbug-798026.js
Mike Stanton a10689dba9 [Builtins] Eliminate the fast path in constructor entries 
The initial fast array may change, invalidating assumptions.

Bug: chromium:798026
Change-Id: Iddcc40867221a2a58aef33b64e7399e0f2784e89
Reviewed-on: https://chromium-review.googlesource.com/850356
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50363}
2018-01-04 15:29:00 +00:00

15 lines
341 B
JavaScript
Raw Blame History

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --expose-gc
array = new Array(4 * 1024 * 1024);
Set.prototype.add = value => {
if (array.length != 1) {
array.length = 1;
gc();
}
}
new Set(array);
Reference in New Issue View Git Blame Copy Permalink