60c0edc08c
As opposed to the register. For subtle reasons, this fixes a deoptimizer bug with handling return values in lazy deopt. Since the return values can now only overwrite the accumulator, there is no danger of overwriting a captured object that might be later used (since there is no "later"). Bug: chromium:902608 Change-Id: I3a7a10bb1c7a6f4303a01d60f80680afcb7bc942 Reviewed-on: https://chromium-review.googlesource.com/c/1325901 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#57349}
17 lines
384 B
JavaScript
17 lines
384 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
async function f() {
|
|
var a = [...new Int8Array([, ...new Uint8Array(65536)])];
|
|
var p = new Proxy([f], {
|
|
set: function () { },
|
|
done: undefined.prototype
|
|
});
|
|
}
|
|
|
|
f()
|
|
f();
|