c65f0a78c3
TurboFan assumed that the output of NumberToString is always a sequential string, since that's what we put into the number to string table. However we might eventually morph these strings into ThinStrings when we need to internalize them, in which case the type in TurboFan will be wrong, and we read out of bounds. Also-By: tebbi@chromium.org Bug: chromium:822284 Change-Id: I5aebe73028b95849fff72bba262c517677112353 Reviewed-on: https://chromium-review.googlesource.com/964523 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#51970}
23 lines
574 B
JavaScript
23 lines
574 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function foo(a) {
|
|
a = "" + Math.abs(a);
|
|
return a.charCodeAt(0);
|
|
}
|
|
|
|
// Add '1' to the number to string table (as SeqString).
|
|
String.fromCharCode(49);
|
|
|
|
// Turn the SeqString into a ThinString via forced internalization.
|
|
const o = {};
|
|
o[(1).toString()] = 1;
|
|
|
|
assertEquals(49, foo(1));
|
|
assertEquals(49, foo(1));
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
assertEquals(49, foo(1));
|