v8/regress-crbug-783132.js at 81b3372efa2aa692ac9de896787052652d424c83 - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Igor Sheludko 00a781dbc3 [runtime] Ensure elements transitions don't interfere with field type tracking.

This CL ensures that elements kind transitions don't cause silent
mutable-to-constant or any-to-class-type migrations of in-place
generalizable fields.

Bug: v8:5495, chromium:783132
Change-Id: Ie60224db62bd45d27148ae0469c7af5a3fe944fd
Reviewed-on: https://chromium-review.googlesource.com/785190
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49583}

2017-11-22 16:51:47 +00:00

16 lines

309 B

JavaScript

Raw Blame History

 // Copyright 2017 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Flags: --verify-heap
 function f(o, v) {
   try {
     f(o, v + 1);
   } catch (e) {
   }
   o[v] = 43.35 + v * 5.3;
 }
 f(Array.prototype, 0);