75eab984f5
This CL fixes a negative capacity check up the call-chain to fix an issue found a clusterfuzz. This is temporary since mid-term we want to change the interface of allocation functions to take an unsigned C++ type, so implicit conversion errors like this one, can't happen. Fixed: chromium:1041240 Change-Id: Ib344e5738d2648fbf9a2951ca943ff566ddd5f09 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000134 Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#65746}
21 lines
638 B
C++
21 lines
638 B
C++
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include "src/execution/isolate.h"
|
|
#include "src/heap/factory.h"
|
|
#include "test/unittests/test-utils.h"
|
|
|
|
namespace v8 {
|
|
namespace internal {
|
|
|
|
using NewUninitializedFixedArrayTest = TestWithIsolateAndZone;
|
|
|
|
TEST_F(NewUninitializedFixedArrayTest, ThrowOnNegativeLength) {
|
|
ASSERT_DEATH_IF_SUPPORTED({ factory()->NewUninitializedFixedArray(-1); },
|
|
"Fatal javascript OOM in invalid array length");
|
|
}
|
|
|
|
} // namespace internal
|
|
} // namespace v8
|