f73973092c
In certain corner-cases we would grow a FAST_ELEMENTS packed backing store of a JS_ARGUMENTS_TYPE object without converting to holey elements kinds. As a side effect you could then read out the_hole. BUG=v8:5772 Review-Url: https://codereview.chromium.org/2597013004 Cr-Commit-Position: refs/heads/master@{#41921}
43 lines
731 B
JavaScript
43 lines
731 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
(function sloppyPackedArguments() {
|
|
function f(a) {
|
|
for (var i = 0; i < 2; i++) {
|
|
a[i] = 0;
|
|
}
|
|
}
|
|
var boom;
|
|
function g() {
|
|
var a = arguments;
|
|
f(a);
|
|
boom = a[5];
|
|
assertEquals(undefined, boom);
|
|
}
|
|
|
|
f([]);
|
|
g(1);
|
|
})();
|
|
|
|
(function strictPackedArguments() {
|
|
"use strict";
|
|
function f(a) {
|
|
for (var i = 0; i < 2; i++) {
|
|
a[i] = 0;
|
|
}
|
|
}
|
|
var boom;
|
|
function g() {
|
|
var a = arguments;
|
|
f(a);
|
|
boom = a[5];
|
|
assertEquals(undefined, boom);
|
|
}
|
|
|
|
f([]);
|
|
g(1);
|
|
})();
|