AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
efb11f2068
v8/test/mjsunit/regress/regress-crbug-961709-1.js
Benedikt Meurer bd17f12a4b [ic] Disallow growing stores with TypedArrays in the prototype chain. 
For keyed stores to JSArrays we can generally allow the receiver to grow
to the necessary size by bumping the magical length property. This works
for regular Arrays, but not in the case the prototype chain contains a
TypedArray, as that is going to swallow all stores that are considered
out-of-bounds for it.

We don't wanna deal with that kind of complexity in the IC handlers, so
we just refuse to handle that case (also giving TurboFan the signal that
it shouldn't attempt to handle growing stores in that case).

Bug: chromium:960134, chromium:961709
Change-Id: Ia886de590c32ae51ed4ebe38fc237ed975a635aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609790
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61465}
2019-05-14 07:43:05 +00:00

16 lines
386 B
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
const a = [];
a[0] = 1;
return a[0];
}
Object.setPrototypeOf(Array.prototype, new Int8Array());
assertEquals(undefined, foo());
assertEquals(undefined, foo());
Reference in New Issue View Git Blame Copy Permalink