fd29e1d841
Bug: chromium:820312 Change-Id: Ie9237a5c53ac7121e469af460a2f0ad5016d9d03 Reviewed-on: https://chromium-review.googlesource.com/957090 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#51844}
27 lines
858 B
JavaScript
27 lines
858 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
let arr = new Array(0x10000);
|
|
let resolve_element_closures = new Array(0x10000);
|
|
|
|
for (let i = 0; i < arr.length; i++) {
|
|
arr[i] = new Promise(() => {});
|
|
arr[i].then = ((idx, resolve) => {
|
|
resolve_element_closures[idx] = resolve;
|
|
}).bind(null, i);
|
|
}
|
|
|
|
Promise.all(arr);
|
|
|
|
// 0xffff is too large, transitions to DICTIONARY_ELEMENTS
|
|
resolve_element_closures[0xffff]();
|
|
|
|
// grows the capacity, the elements kind of the result array is still DICTIONARY_ELEMENTS, but the elements object of it is no more a dictionary.
|
|
resolve_element_closures[100]();
|
|
|
|
// You can observe that V8 crashes here in debug mode.
|
|
resolve_element_closures[0xfffe]();
|