| Index: test/mjsunit/regress/regress-crbug-589792.js
|
| diff --git a/test/mjsunit/regress/regress-crbug-589792.js b/test/mjsunit/regress/regress-crbug-589792.js
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..f735afceaefbf7dfa7dffeaf8542c3e927a6a540
|
| --- /dev/null
|
| +++ b/test/mjsunit/regress/regress-crbug-589792.js
|
| @@ -0,0 +1,20 @@
|
| +// Copyright 2016 the V8 project authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +// Flags: --allow-natives-syntax
|
| +
|
| +var boom = (function(stdlib, foreign, heap) {
|
| + "use asm";
|
| + var MEM8 = new stdlib.Uint8Array(heap);
|
| + var MEM32 = new stdlib.Int32Array(heap);
|
| + function foo(i, j) {
|
| + j = MEM8[256];
|
| + // This following value '10' determines the value of 'rax'
|
| + MEM32[j >> 10] = 0xabcdefaa;
|
| + return MEM32[j >> 2] + j
|
| + }
|
| + return foo
|
| +})(this, 0, new ArrayBuffer(256));
|
| +%OptimizeFunctionOnNextCall(boom);
|
| +boom(0, 0x1000);
|
|
|
Chromium Code Reviews
Issue 1740123002:
[turbofan] Bailout if LoadBuffer typing assumption doesn't hold. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master