fd150c7988
The condition for bounds check generation was not in sync with the condition that was used for the actual access, which lead to invalid memory accesses when the array protector was invalid. Tbr: tebbi@chromium.org Bug: chromium:781506, chromium:781494, chromium:781457, chromium:781285, chromium:781381, chromium:781380, v8:6936, v8:7014, v8:7027 Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b Reviewed-on: https://chromium-review.googlesource.com/753590 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49124}
14 lines
397 B
JavaScript
14 lines
397 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function foo(a, i) { return a[i] + 0.5; }
|
|
|
|
foo({}, 1);
|
|
Array.prototype.unshift(1.5);
|
|
assertTrue(Number.isNaN(foo({}, 1)));
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
assertTrue(Number.isNaN(foo({}, 1)));
|