Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(36)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: test/mjsunit/regress/regress-crbug-683667.js

Issue 2725153002: Merged: [runtime] Mark old JSGlobalProxy's map as unstable when an iframe navigates away. (Closed)
Patch Set: Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/objects.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/mjsunit/regress/regress-crbug-683667.js
diff --git a/test/mjsunit/regress/regress-crbug-683667.js b/test/mjsunit/regress/regress-crbug-683667.js
new file mode 100644
index 0000000000000000000000000000000000000000..adba522129778f4f1437d2c3ef99f579d7e171a8
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-683667.js
@@ -0,0 +1,14 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc --verify-heap
+
+var realm = Realm.create();
+var g = Realm.global(realm);
+var obj = {x: 0, g: g};
+
+// Navigation will replace JSGlobalObject behind the JSGlobalProxy g and
+// therefore will change the g's map. The old map must be marked as non-stable.
+Realm.navigate(realm);
+gc();
« no previous file with comments | « src/objects.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698