summaryrefslogtreecommitdiff
path: root/deps/v8/test/mjsunit/regress/regress-crbug-820312.js
diff options
context:
space:
mode:
Diffstat (limited to 'deps/v8/test/mjsunit/regress/regress-crbug-820312.js')
-rw-r--r--deps/v8/test/mjsunit/regress/regress-crbug-820312.js26
1 files changed, 26 insertions, 0 deletions
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-820312.js b/deps/v8/test/mjsunit/regress/regress-crbug-820312.js
new file mode 100644
index 0000000000..448d4e97c0
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-820312.js
@@ -0,0 +1,26 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let arr = new Array(0x10000);
+let resolve_element_closures = new Array(0x10000);
+
+for (let i = 0; i < arr.length; i++) {
+ arr[i] = new Promise(() => {});
+ arr[i].then = ((idx, resolve) => {
+ resolve_element_closures[idx] = resolve;
+ }).bind(null, i);
+}
+
+Promise.all(arr);
+
+// 0xffff is too large, transitions to DICTIONARY_ELEMENTS
+resolve_element_closures[0xffff]();
+
+// grows the capacity, the elements kind of the result array is still DICTIONARY_ELEMENTS, but the elements object of it is no more a dictionary.
+resolve_element_closures[100]();
+
+// You can observe that V8 crashes here in debug mode.
+resolve_element_closures[0xfffe]();
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 17:26:55 +0000