v8/test/mjsunit/regress/regress-crbug-1265043.js
Jakob Kummerow 881b89240c [ic] Fix KeyedLoadIC for "string"[4294967295]
If index > JSObject::kMaxElementIndex, we have to perform a prototype
chain lookup for a named property. The corresponding check was missing
for string receivers.

Fixed: chromium:1265043
Change-Id: Ibccd058a4bd108eeee235762bea0bc4163aaa0b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3257704
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77683}
2021-11-03 14:15:30 +00:00

20 lines
581 B
JavaScript

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
val = "hello";
function foo(i) {
return val[i];
}
assertEquals(undefined, foo(8));
Object.prototype[4294967295] = "boom";
assertEquals("boom", foo(4294967295));
%PrepareFunctionForOptimization(foo);
assertEquals(undefined, foo(8));
assertEquals("boom", foo(4294967295));
%OptimizeFunctionOnNextCall(foo);
assertEquals(undefined, foo(8));
assertEquals("boom", foo(4294967295));