fd074f9a80
We don't want to handle even non-growing stores when there are TypedArrays in the prototype chain. Typed arrays handle the out-of-bounds accesses by ignoring the stores unlike the regular array writes. We just let runtime handle these cases instead of making ICs more complex. There was an earlier cl (https://chromium-review.googlesource.com/c/v8/v8/+/1609790) that fixed it for growing stores. This cl extends it for non-growing stores as well to handle more cases. Bug: chromium:961709 Change-Id: I65e079b88c10d2ba343f69a67134893319cd8f8a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662305 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#62243}
27 lines
603 B
JavaScript
27 lines
603 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function foo() {
|
|
const a = [];
|
|
a[0] = 1;
|
|
return a[0];
|
|
}
|
|
|
|
function bar() {
|
|
const a = new Array(10);
|
|
a[0] = 1;
|
|
return a[0];
|
|
}
|
|
|
|
Object.setPrototypeOf(Array.prototype, new Int8Array());
|
|
%EnsureFeedbackVectorForFunction(foo);
|
|
assertEquals(undefined, foo());
|
|
assertEquals(undefined, foo());
|
|
|
|
%EnsureFeedbackVectorForFunction(bar);
|
|
assertEquals(undefined, bar());
|
|
assertEquals(undefined, bar());
|