AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[typedarray] Use native context in elements accessor.

Browse Source 
A check will fail if the context passed in is not a native context.
Change the code to get the native context from the passed context.

Bug: chromium:804288
Change-Id: Iad314a3dd170355cf524b9230a692a6329564f8a
Reviewed-on: https://chromium-review.googlesource.com/878324
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50761}
This commit is contained in:
Peter Marshall 2018-01-22 14:53:04 +01:00 committed by Commit Bot
parent 1827b842b9
commit 2cfacb743d
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/elements.cc
View File

@ -3339,7 +3339,8 @@ class TypedElementsAccessor
// them. // them.
if (source_proto->IsNull(isolate)) return false; if (source_proto->IsNull(isolate)) return false;
if (source_proto->IsJSProxy()) return true; if (source_proto->IsJSProxy()) return true;
if (!context->is_initial_array_prototype(JSObject::cast(source_proto))) { if (!context->native_context()->is_initial_array_prototype(
JSObject::cast(source_proto))) {
return true; return true;
} }

9
test/mjsunit/regress/regress-804288.js Normal file
View File

@ -0,0 +1,9 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var arr = [{}];
Object.setPrototypeOf(arr, {});
var ta = new Uint8Array(arr);
let kDeclNoLocals = 0;