65079f10b9
This code is triggered by Runtime_ArrayIncludes_Slow. The elements kind changes from DICTIONARY (with accessor property using Object.defineProperty) to empty DICTIONARY (by set the length to 0), to frozen/seal/nonextensible elements. This element kind transition happened in accessor property by Array.includes. Bug: v8:9894 Change-Id: I224ceb537ff358a30a6e00414c71d6fe18924bb4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876994 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#64575}
49 lines
992 B
JavaScript
49 lines
992 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
(function frozen() {
|
|
const ary = [1.1]
|
|
Object.defineProperty(ary, 0, {get:run_it} );
|
|
|
|
// v8::internal::Runtime_ArrayIncludes_Slow.
|
|
ary.includes();
|
|
|
|
function run_it(el) {
|
|
ary.length = 0;
|
|
ary[0] = 1.1;
|
|
Object.freeze(ary);
|
|
return 2.2;
|
|
}
|
|
})();
|
|
|
|
(function seal() {
|
|
const ary = [1.1]
|
|
Object.defineProperty(ary, 0, {get:run_it} );
|
|
|
|
// v8::internal::Runtime_ArrayIncludes_Slow.
|
|
ary.includes();
|
|
|
|
function run_it(el) {
|
|
ary.length = 0;
|
|
ary[0] = 1.1;
|
|
Object.seal(ary);
|
|
return 2.2;
|
|
}
|
|
})();
|
|
|
|
(function preventExtensions() {
|
|
const ary = [1.1]
|
|
Object.defineProperty(ary, 0, {get:run_it} );
|
|
|
|
// v8::internal::Runtime_ArrayIncludes_Slow.
|
|
ary.includes();
|
|
|
|
function run_it(el) {
|
|
ary.length = 0;
|
|
ary[0] = 1.1;
|
|
Object.preventExtensions(ary);
|
|
return 2.2;
|
|
}
|
|
})();
|