[typedarray] Use native context in elements accessor.

A check will fail if the context passed in is not a native context. Change the code to get the native context from the passed context. Bug: chromium:804288 Change-Id: Iad314a3dd170355cf524b9230a692a6329564f8a Reviewed-on: https://chromium-review.googlesource.com/878324 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#50761}
2018-01-22 14:53:04 +01:00 · 2018-01-22 14:53:04 +01:00 · 2cfacb743d
commit 2cfacb743d
parent 1827b842b9
2 changed files with 11 additions and 1 deletions
--- a/src/elements.cc
+++ b/src/elements.cc
@ -3339,7 +3339,8 @@ class TypedElementsAccessor
    // them.
    if (source_proto->IsNull(isolate)) return false;
    if (source_proto->IsJSProxy()) return true;
-    if (!context->is_initial_array_prototype(JSObject::cast(source_proto))) {
+    if (!context->native_context()->is_initial_array_prototype(
+            JSObject::cast(source_proto))) {
      return true;
    }

--- a/test/mjsunit/regress/regress-804288.js
+++ b/test/mjsunit/regress/regress-804288.js
@ -0,0 +1,9 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var arr = [{}];
+Object.setPrototypeOf(arr, {});
+var ta = new Uint8Array(arr);
+
+let kDeclNoLocals = 0;