v8/test/mjsunit/regress/regress-crbug-781506-3.js
Benedikt Meurer fd150c7988 [turbofan] Generate the correct bounds when the array protector isn't valid.
The condition for bounds check generation was not in sync with the
condition that was used for the actual access, which lead to invalid
memory accesses when the array protector was invalid.

Tbr: tebbi@chromium.org
Bug: chromium:781506, chromium:781494, chromium:781457, chromium:781285, chromium:781381, chromium:781380, v8:6936, v8:7014, v8:7027
Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b
Reviewed-on: https://chromium-review.googlesource.com/753590
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49124}
2017-11-04 12:06:31 +00:00

14 lines
397 B
JavaScript

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(a, i) { return a[i] + 0.5; }
foo({}, 1);
Array.prototype.unshift(1.5);
assertTrue(Number.isNaN(foo({}, 1)));
%OptimizeFunctionOnNextCall(foo);
assertTrue(Number.isNaN(foo({}, 1)));