1b5df68365
If the elements fixed array is large enough, it must be allocated in large-object space. This fixes two cases in which we'd incorrectly assume elements fits into new space. There are potentially quite a few other spots affected by a similar issue, and we should find a more robust solution. See also: crbug.com/636391. Bug: v8:6716 Change-Id: I91f09355ac6b7cf399e13cc21d34113a506e58fb Reviewed-on: https://chromium-review.googlesource.com/623808 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47495}
8 lines
258 B
JavaScript
8 lines
258 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
function f() {}
|
|
var a = Array(2 ** 16); // Elements in large-object-space.
|
|
f.bind(...a);
|