AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
dac86be251
v8/test/mjsunit/compiler/regress-952586.js
Jaroslav Sevcik d2bfdafe20 [turbofan] Fix bounds check for the 'in' operator on typed arrays. 
This fixes the bounds check for the 'in' operator to handle the negative
index case properly (by using the same machinery as the potentially
out-of-bounds loads/stores use).

Bug: chromium:952586
Change-Id: I2225acae8be7dcedbcde745e8ef202e789085041
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581179
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60978}
2019-04-24 11:52:17 +00:00

16 lines
331 B
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
a = new Int8Array(1);
function f(i) {
return i in a;
}
assertTrue(f(0));
%OptimizeFunctionOnNextCall(f);
assertFalse(f(-1));
Reference in New Issue View Git Blame Copy Permalink