f3f47a9fef
Bug: chromium:1309467,chromium:1308360,v8:9237 Change-Id: I77b004e263a9bed98a0dfe5936bdad055bde36a6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3745365 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#81530}
45 lines
937 B
JavaScript
45 lines
937 B
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let badCaseRan = false;
|
|
|
|
function main(i) {
|
|
class B {
|
|
m() {
|
|
return super.nodeType; // The access site (megamorphic)
|
|
}
|
|
}
|
|
let node = new d8.dom.Div(); // API object
|
|
node['a' + i] = 1; // Create a new shape
|
|
if (i < 0x100 - 1) {
|
|
B.prototype.__proto__ = {};
|
|
} else {
|
|
B.prototype.__proto__ = node; // Lookup start object == API object
|
|
}
|
|
let b = new B();
|
|
|
|
b.x0 = 1;
|
|
b.x1 = 2;
|
|
b.x2 = 3;
|
|
b.x3 = 4;
|
|
node.nodeType; // Create a handler for loading from the API object
|
|
let caught = false;
|
|
try {
|
|
b.m();
|
|
} catch {
|
|
caught = true;
|
|
}
|
|
if (i < 0x100 - 1) {
|
|
assertFalse(caught);
|
|
} else {
|
|
assertTrue(caught);
|
|
badCaseRan = true;
|
|
}
|
|
}
|
|
|
|
for (let i = 0; i < 0x100; i++) {
|
|
main(i);
|
|
}
|
|
assertTrue(badCaseRan);
|