src/v8/test/mjsunit/regress/regress-crbug-941743.js - cobalt - Git at Google

 // Copyright 2019 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // Flags: --allow-natives-syntax --noenable-slow-asserts

 // This call ensures that TurboFan won't inline array constructors.
 Array(2 ** 30);

 // Set up a fast holey smi array, and generate optimized code.
 let a = [1, 2, , , , 3];
 function mapping(a) {
   return a.map(v => v);
 };
 %PrepareFunctionForOptimization(mapping);
 mapping(a);
 mapping(a);
 %OptimizeFunctionOnNextCall(mapping);
 mapping(a);

 // Now lengthen the array, but ensure that it points to a non-dictionary
 // backing store.
 a.length = 32 * 1024 * 1024 - 1;
 a.fill(1, 0);
 a.push(2);
 a.length += 500;
 // Now, the non-inlined array constructor should produce an array with
 // dictionary elements: causing a crash.
 mapping(a);
	// Copyright 2019 the V8 project authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// Flags: --allow-natives-syntax --noenable-slow-asserts

	// This call ensures that TurboFan won't inline array constructors.
	Array(2 ** 30);

	// Set up a fast holey smi array, and generate optimized code.
	let a = [1, 2, , , , 3];
	function mapping(a) {
	return a.map(v => v);
	};
	%PrepareFunctionForOptimization(mapping);
	mapping(a);
	mapping(a);
	%OptimizeFunctionOnNextCall(mapping);
	mapping(a);

	// Now lengthen the array, but ensure that it points to a non-dictionary
	// backing store.
	a.length = 32 * 1024 * 1024 - 1;
	a.fill(1, 0);
	a.push(2);
	a.length += 500;
	// Now, the non-inlined array constructor should produce an array with
	// dictionary elements: causing a crash.
	mapping(a);