78727d4362
When we compile a growing store in TurboFan, we don't pass a (native) context to the %GrowArrayElements fallback function, as the whole logic is actually context independent. However, that means that we need to bailout early in case the object is a prototype, which requires context dependent checks in the array protector code. R=cbruni@chromium.org BUG=chromium:635798 Review-Url: https://codereview.chromium.org/2224253003 Cr-Commit-Position: refs/heads/master@{#38491}
16 lines
330 B
JavaScript
16 lines
330 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function foo() {
|
|
var x = [];
|
|
var y = [];
|
|
x.__proto__ = y;
|
|
for (var i = 0; i < 200000; ++i) {
|
|
y[i] = 1;
|
|
}
|
|
}
|
|
foo();
|