https://codereview.chromium.org/1314493005/diff/20001/src/runtime.js
File src/runtime.js (right):
https://codereview.chromium.org/1314493005/diff/20001/src/runtime.js#newcode739
src/runtime.js:739: arg = %_MathFloor(arg);
This line is the problem. I get a crash if |arg| is a Smi. Repro:
d8 --harmony-reflect --turbo --always-opt -e
'Reflect.apply(function(){}, {}, { length: 1 })'
Even more bizarrely, adding a Smi check results in a crash under
--stress-opt --always-opt on a different case:
function f() { 'use strict'; }
Reflect.apply(f, undefined, {});
for (var i = 0; i < 256; ++i) {
Reflect.apply(f, undefined, { length: i });
}
Seems like something is particularly screwy with either the Reflect
stuff or MathFloor (both of which have strange implementations).
https://codereview.chromium.org/1314493005/
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
