da67c2ae36
An 'arguments' array cannot be allocated in young space when its size exceeds kMaxRegularHeapObjectSize. In this case the optimizations in JSCreateLowering::ReduceJSCreateArguments are skipped. Bug: chromium:1098565 Change-Id: I30fdc78a1eb6e51fcd293785a46c9fd78995da9a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2273121 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#68585}
24 lines
493 B
JavaScript
24 lines
493 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function f() {
|
|
return arguments;
|
|
}
|
|
|
|
arr = [];
|
|
arr.length=0x8000;
|
|
g = f.bind(null,...arr);
|
|
|
|
function test() {
|
|
return g();
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(f);
|
|
%PrepareFunctionForOptimization(test);
|
|
test();
|
|
%OptimizeFunctionOnNextCall(test);
|
|
assertEquals(test().length, arr.length);
|