bf251848b5
... when one of the receivers is a JSArray that may have a read-only length. Bug: chromium:1069530 Change-Id: Idbaf1a9030bb5a0f9c25e30925f18f603a99832f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2196353 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#67783}
30 lines
680 B
JavaScript
30 lines
680 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --no-lazy-feedback-allocation
|
|
|
|
function store(ar, index) {
|
|
ar[index] = "a";
|
|
}
|
|
|
|
let growable_array = [];
|
|
|
|
// Train IC on growable array
|
|
store(growable_array, 0);
|
|
store(growable_array, 1);
|
|
store(growable_array, 2);
|
|
store(growable_array, 3);
|
|
|
|
// Now make IC polymorphic
|
|
var array = [];
|
|
Object.defineProperty(array, "length", { value: 3, writable: false });
|
|
|
|
store(array, 0);
|
|
store(array, 1);
|
|
|
|
// ... and try to grow it.
|
|
store(array, 3);
|
|
assertEquals(undefined, array[3]);
|
|
assertEquals(3, array.length);
|