7ede61ed1d
In PrependElementIndicesImpl we sort a FixedArray of indices potentially containing HeapNumbers. During the string conversion we might trigger a GC. This in turn might try to read a slot where we previously had a HeapNumber but the sort sneaked a SMI in there which is not a valid pointer. BUG=chromium:630561 Review-Url: https://codereview.chromium.org/2173653003 Cr-Commit-Position: refs/heads/master@{#37993}
14 lines
330 B
JavaScript
14 lines
330 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --gc-interval=30
|
|
|
|
var dict_elements = {};
|
|
|
|
for (var i= 0; i< 100; i++) {
|
|
dict_elements[2147483648 + i] = i;
|
|
}
|
|
|
|
var keys = Object.keys(dict_elements);
|