bf998bdf47
The previous fix was using the wrong getter for accessing the length. It also threw an error when the created TA was length-tracking but in bounds. Bug: v8:11111,chromium:1399799 Change-Id: I5a94b1b49b2e30cf33999be7ff0ee8e4f5323849 Fixed: chromium:1399799 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4090984 Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#84771}
46 lines
1.4 KiB
JavaScript
46 lines
1.4 KiB
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --harmony-rab-gsab --allow-natives-syntax
|
|
|
|
const ab = new ArrayBuffer(3000);
|
|
const ta = new Uint16Array(ab);
|
|
|
|
function createOOBTA() {
|
|
const rab = new ArrayBuffer(3000, {"maxByteLength": 4000});
|
|
const ta = new Uint8Array(rab, 0, 3000);
|
|
rab.resize(0);
|
|
return ta;
|
|
}
|
|
|
|
Object.defineProperty(Uint16Array, Symbol.species,
|
|
{ configurable: true, enumerable: true,
|
|
get: () => { return createOOBTA; }});
|
|
assertThrows(() => { ta.slice(); }, TypeError);
|
|
|
|
function createDetachedTA() {
|
|
const rab = new ArrayBuffer(3000, {"maxByteLength": 4000});
|
|
const ta = new Uint8Array(rab, 0, 3000);
|
|
%ArrayBufferDetach(rab);
|
|
return ta;
|
|
}
|
|
|
|
Object.defineProperty(Uint16Array, Symbol.species,
|
|
{ configurable: true, enumerable: true,
|
|
get: () => { return createDetachedTA; }});
|
|
assertThrows(() => { ta.slice(); }, TypeError);
|
|
|
|
// But this works:
|
|
function createLengthTrackingTA() {
|
|
const rab = new ArrayBuffer(3000, {"maxByteLength": 4000});
|
|
const ta = new Uint16Array(rab, 0);
|
|
return ta;
|
|
}
|
|
|
|
Object.defineProperty(Uint16Array, Symbol.species,
|
|
{ configurable: true, enumerable: true,
|
|
get: () => { return createLengthTrackingTA; }});
|
|
|
|
ta.slice();
|