84cfc9ca71
We need to check if the index is less than zero and miss to the runtime if this is so. Bug: chromium:1257519 Change-Id: I7d22f2765232815120b8baf7b8b83d5b00024375 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3218975 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/main@{#77380}
24 lines
582 B
JavaScript
24 lines
582 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --no-lazy-feedback-allocation
|
|
|
|
var a = "hello";
|
|
function foo(i) {
|
|
var x = a[i];
|
|
return x;
|
|
}
|
|
|
|
// Set up the KeyedLoadIC for monomorphic string load.
|
|
foo(4);
|
|
foo(4);
|
|
foo(4);
|
|
// That also handles out of bounds indexes.
|
|
assertEquals(foo(8), undefined);
|
|
|
|
// Add a negative indexed property (not an element, so the
|
|
// NoElement protector will not fire).
|
|
Object.prototype[-1] = 2;
|
|
assertEquals(2, foo(-1));
|