v8/test/mjsunit/regress/regress-crbug-867776.js

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --expose-gc

for (var i = 0; i < 3; i++) {
  var array = new BigInt64Array(200);

  function evil_callback() {
    %ArrayBufferNeuter(array.buffer);
    gc();
    return 1094795585n;
  }

  var evil_object = {valueOf: evil_callback};
  var root;
  try {
    root = BigInt64Array.of.call(function() { return array }, evil_object);
  } catch(e) {}
  gc();
}
[csa] Fix is-neutered check in EmitBigTypedArrayElementStore The ToBigInt conversion can have side effects, so the check for neutered-ness must happen afterwards. Bug: chromium:867776 Change-Id: I6e550c77a284da4cf132c21a6c3b1ed8f34eedc9 Reviewed-on: https://chromium-review.googlesource.com/1153553 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#54761} 2018-07-27 20:53:53 +00:00			`// Copyright 2018 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`// Flags: --allow-natives-syntax --expose-gc`

			`for (var i = 0; i < 3; i++) {`
			`var array = new BigInt64Array(200);`

			`function evil_callback() {`
			`%ArrayBufferNeuter(array.buffer);`
			`gc();`
			`return 1094795585n;`
			`}`

			`var evil_object = {valueOf: evil_callback};`
			`var root;`
			`try {`
			`root = BigInt64Array.of.call(function() { return array }, evil_object);`
			`} catch(e) {}`
			`gc();`
			`}`