test/mjsunit/es6/regress/regress-cr895860.js · 1b3a4f0c34a19ea82958823c400068a7dbc63675 · Linshizhi / V8

Use slow path in IterableToList for big input strings. · 779d102c

Hai Dang authored Oct 17, 2018

AllocateJSArray always allocates in new space, so we bailout of the fast
path for strings if the new array does not fit in new space.

Bug found by ClusterFuzz. Regression test added.

This also switches to the BranchIf pattern to avoid materialize a bool.

Bug: chromium:895860, v8:7980
Change-Id: Ic7c41268c394ac2796b7694252390ab50fd74838
Reviewed-on: https://chromium-review.googlesource.com/c/1286337Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56759}

779d102c

regress-cr895860.js 350 Bytes

Replace regress-cr895860.js