f06db79c67
This makes sure that typed array constructors (e.g. Int8Array, ...) used within an asm.js module are considered uses of stdlib values, and hence are checked during module instantiation. R=clemensh@chromium.org TEST=mjsunit/regress/regress-6280 BUG=v8:6280,chromium:714537 Change-Id: Ic5d689f5319c4dac4e9df3dca4a8cf5a4edd890b Reviewed-on: https://chromium-review.googlesource.com/485521 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#44800}
43 lines
1.2 KiB
JavaScript
43 lines
1.2 KiB
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --nostress-opt --expose-gc --noalways-opt --invoke-weak-callbacks
|
|
|
|
// This test was generated by the fuzzer.
|
|
|
|
function getRandomProperty(v, rand) {
|
|
var properties = Object.getOwnPropertyNames(v);
|
|
var proto = Object.getPrototypeOf(v);
|
|
if (proto) {; }
|
|
if ("constructor" && v.constructor.hasOwnProperty()) {; }
|
|
if (properties.length == 0) { return "0"; }
|
|
return properties[rand % properties.length];
|
|
}
|
|
|
|
var __v_11 = {};
|
|
|
|
function __f_1(stdlib, foreign, buffer) {
|
|
"use asm";
|
|
var __v_3 = new stdlib.Float64Array(buffer);
|
|
function __f_0() {
|
|
var __v_1 = 6.0;
|
|
__v_3[2] = __v_1 + 1.0;
|
|
}
|
|
return {__f_0: __f_0};
|
|
}
|
|
try {
|
|
var __v_0 = new ArrayBuffer(207222809);
|
|
var module = __f_1(this, null, __v_0);
|
|
( {
|
|
})();
|
|
} catch(e) {; }
|
|
__v_13 = '@3'
|
|
Array.prototype.__proto__ = {3: __v_13};
|
|
Array.prototype.__proto__.__proto__ = {7: __v_11};
|
|
__v_9 = [0, 1, , , 4, 5, , , , 9]
|
|
__v_12 = __v_9.splice(4, 1)
|
|
__v_9.__defineGetter__(getRandomProperty(__v_9, 1689439720), function() { return {}; });
|
|
__v_9[8]
|
|
gc();
|