c7d01c42ed
The number of arguments passed on the stack might exceed the regular object size limits. Hence we need to emit write barriers when copying the arguments from the stack into the allocated array. Bug: chromium:813450 Change-Id: I829c5c32b1a7b5f4ddb01cc6ea92f85ab47126aa Reviewed-on: https://chromium-review.googlesource.com/939174 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#51603}
24 lines
676 B
JavaScript
24 lines
676 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
var constructorArgs = new Array(0x10100);
|
|
var constructor = function() {};
|
|
var target = new Proxy(constructor, {
|
|
construct: function() {
|
|
}
|
|
});
|
|
var proxy = new Proxy(target, {
|
|
construct: function(newTarget, args) {
|
|
return Reflect.construct(constructor, []);
|
|
}
|
|
});
|
|
var instance = new proxy();
|
|
var instance2 = Reflect.construct(proxy, constructorArgs);
|
|
%HeapObjectVerify(target);
|
|
%HeapObjectVerify(proxy);
|
|
%HeapObjectVerify(instance);
|
|
%HeapObjectVerify(instance2);
|