| Index: test/mjsunit/regress/regress-crbug-663402.js
|
| diff --git a/test/mjsunit/regress/regress-crbug-663402.js b/test/mjsunit/regress/regress-crbug-663402.js
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..5368bd6e804a6dc2a323e33074796d25f4047512
|
| --- /dev/null
|
| +++ b/test/mjsunit/regress/regress-crbug-663402.js
|
| @@ -0,0 +1,40 @@
|
| +// Copyright 2016 the V8 project authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +// Flags: --allow-natives-syntax
|
| +
|
| +var g_eval = eval;
|
| +function emit_f(size) {
|
| + var body = "function f(x) {" +
|
| + " if (x < 0) return x;" +
|
| + " var a = [1];" +
|
| + " if (x > 0) return [";
|
| + for (var i = 0; i < size; i++) {
|
| + body += "0.1, ";
|
| + }
|
| + body += " ];" +
|
| + " return a;" +
|
| + "}";
|
| + g_eval(body);
|
| +}
|
| +
|
| +// Length must be big enough to make the backing store's size not fit into
|
| +// a single instruction's immediate field (2^12).
|
| +var kLength = 701;
|
| +emit_f(kLength);
|
| +f(1);
|
| +f(1);
|
| +%OptimizeFunctionOnNextCall(f);
|
| +var a = f(1);
|
| +
|
| +// Allocating something else should not disturb |a|.
|
| +var b = new Object();
|
| +for (var i = 0; i < kLength; i++) {
|
| + assertEquals(0.1, a[i]);
|
| +}
|
| +
|
| +// Allocating more should not crash.
|
| +for (var i = 0; i < 300; i++) {
|
| + f(1);
|
| +}
|
|
|
Chromium Code Reviews
Issue 2484283002:
[arm] Fix custom addition in MacroAssembler::[Fast]Allocate (Closed)
