blob: eaac4c4c4d846a6fe39ed9dba60bccc9a27df137 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --noenable-slow-asserts
// This call ensures that TurboFan won't inline array constructors.
Array(2 ** 30);
// Set up a fast holey smi array, and generate optimized code.
let a = [1, 2, , , , 3];
function mapping(a) {
return a.map(v => v);
};
%PrepareFunctionForOptimization(mapping);
mapping(a);
mapping(a);
%OptimizeFunctionOnNextCall(mapping);
mapping(a);
// Now lengthen the array, but ensure that it points to a non-dictionary
// backing store.
a.length = 32 * 1024 * 1024 - 1;
a.fill(1, 0);
a.push(2);
a.length += 500;
// Now, the non-inlined array constructor should produce an array with
// dictionary elements: causing a crash.
mapping(a);
|
