AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
30be479711
v8/test/mjsunit/regress/regress-crbug-683667.js
Igor Sheludko 1c7f83980e [runtime] Mark old JSGlobalProxy's map as unstable when an iframe navigates away. 
This CL also introduces Realm.navigate(i).

BUG=chromium:683667

Change-Id: I9227292ea3a575f34367e82fc6297d234d3eecae
Reviewed-on: https://chromium-review.googlesource.com/447638
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43494}
2017-02-28 17:05:51 +00:00

15 lines
469 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc --verify-heap
var realm = Realm.create();
var g = Realm.global(realm);
var obj = {x: 0, g: g};
// Navigation will replace JSGlobalObject behind the JSGlobalProxy g and
// therefore will change the g's map. The old map must be marked as non-stable.
Realm.navigate(realm);
gc();
Reference in New Issue View Git Blame Copy Permalink