AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
fa1fbc8b34
v8/test/mjsunit/regress/regress-crbug-997057.js
Maya Lekova f16a3a7436 [turbofan] Fix memory corruption 
Bug: chromium:997057
Change-Id: I821b91ff51f82e6325dae5719e1669142c82b05e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768579
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63369}
2019-08-23 14:03:01 +00:00

32 lines
528 B
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
arr0 = [];
var obj = {};
Array.prototype[12] = 10;
arr0 = [];
Array.prototype[0] = 153;
for (var elem in arr0) {
obj.length = {
toString: function () {
}
};
}
function baz() {
obj.length, arr0.length;
}
var arr = [{}, [], {}];
for (var i in arr) {
baz();
for (var j = 0; j < 100000; j++) {
}
}
Reference in New Issue View Git Blame Copy Permalink