96a2bd8ae8
Array.prototype.concat did not work correct with complex elements on the receiver or the prototype chain. BUG=chromium:594574 LOG=y Review URL: https://codereview.chromium.org/1804963002 Cr-Commit-Position: refs/heads/master@{#34798}
36 lines
959 B
JavaScript
36 lines
959 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --expose-gc
|
|
|
|
array = new Array(10);
|
|
array[0] = 0.1;
|
|
// array[1] = THE_HOLE, reading through the prototype chain
|
|
array[2] = 2.1;
|
|
array[3] = 3.1;
|
|
|
|
var copy = array.slice(0, array.length);
|
|
|
|
// Use the defaul array prototype.
|
|
var proto = array.__proto__;
|
|
|
|
// Define [1] on the prototype to alter the array during concatenation.
|
|
Object.defineProperty(
|
|
proto, 1, {
|
|
get() {
|
|
// Alter the array.
|
|
array.length = 1;
|
|
// Force gc to move the array.
|
|
gc();
|
|
return "value from proto";
|
|
},
|
|
set(new_value) { }
|
|
});
|
|
|
|
var concatted_array = Array.prototype.concat.call(array);
|
|
assertEquals(concatted_array[0], 0.1);
|
|
assertEquals(concatted_array[1], "value from proto");
|
|
assertEquals(concatted_array[2], undefined);
|
|
assertEquals(concatted_array[3], undefined);
|