a24d5ad787
The ToBigInt conversion can have side effects, so the check for neutered-ness must happen afterwards. Bug: chromium:867776 Change-Id: I6e550c77a284da4cf132c21a6c3b1ed8f34eedc9 Reviewed-on: https://chromium-review.googlesource.com/1153553 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#54761}
23 lines
557 B
JavaScript
23 lines
557 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --expose-gc
|
|
|
|
for (var i = 0; i < 3; i++) {
|
|
var array = new BigInt64Array(200);
|
|
|
|
function evil_callback() {
|
|
%ArrayBufferNeuter(array.buffer);
|
|
gc();
|
|
return 1094795585n;
|
|
}
|
|
|
|
var evil_object = {valueOf: evil_callback};
|
|
var root;
|
|
try {
|
|
root = BigInt64Array.of.call(function() { return array }, evil_object);
|
|
} catch(e) {}
|
|
gc();
|
|
}
|