3729410578
This avoids leaving the heap in an invalid state if a GC occurs during population of the cloned property array, as is done in other IC builtins. BUG=chromium:904167, v8:7611 R=jkummerow@chromium.org, ishell@chromium.org Change-Id: I0350ed2d65b72e299f7109b7d5aa86331f60e940 Reviewed-on: https://chromium-review.googlesource.com/c/1350282 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#57879}
15 lines
546 B
JavaScript
15 lines
546 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Previously, spreading in-object properties would always treat double fields
|
|
// as tagged, potentially dereferencing a Float64.
|
|
|
|
// Ensure that we don't fail an assert from --verify-heap when cloning a
|
|
// MutableHeapNumber in the CloneObjectIC handler case.
|
|
var src, clone;
|
|
for (var i = 0; i < 40000; i++) {
|
|
src = { ...i, x: -9007199254740991 };
|
|
clone = { ...src };
|
|
}
|