c94df3cec4
The assert-guarded comment claiming that ToNumber could not possibly neuter the target array unfortunately turns out to have been wishful thinking. Bug: chromium:816961 Change-Id: Ib98f96f4cd7f33414c0b5a6037bfb881938cc15e Reviewed-on: https://chromium-review.googlesource.com/939767 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#51637}
19 lines
745 B
JavaScript
19 lines
745 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
assertThrows(function() {
|
|
var memory = new WebAssembly.Memory({initial: 64 * 1024 * 1024 / 0x10000});
|
|
var array = new Uint8Array(memory.buffer);
|
|
Uint8Array.of.call(function() { return array },
|
|
{valueOf() { memory.grow(1); } });
|
|
}, TypeError);
|
|
|
|
assertThrows(function() {
|
|
var memory = new WebAssembly.Memory({initial: 64 * 1024 * 1024 / 0x10000});
|
|
var array = new Uint8Array(memory.buffer);
|
|
Uint8Array.from.call(function() { return array },
|
|
[{valueOf() { memory.grow(1); } }],
|
|
x => x);
|
|
}, TypeError);
|