49749bb976
The bug was that the allocation of the result array (before the loop) was using the outer frame state, thus returning the allocation's result (an array full of holes) as the return value of the map operation in case the allocation triggers a lazy deopt. Bug: chromium:1104514 Change-Id: I9a6db8a5860472e1b438b6b54414938d61e166c1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2324249 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#69129}
21 lines
491 B
JavaScript
21 lines
491 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
Array(32760); // > JSArray::kInitialMaxFastElementArray
|
|
|
|
function main() {
|
|
const a = [1, 2];
|
|
a.x = 666;
|
|
a.toString();
|
|
const aa = Array.prototype.map.call(a, v => v);
|
|
if (aa[0] != 1 || aa[1] != 2) { %SystemBreak(); }
|
|
a.z = 667;
|
|
}
|
|
|
|
for (var i = 0; i < 20000; ++i) {
|
|
main();
|
|
}
|