15a449b141
Even after https://codereview.chromium.org/2371963002 we still did not always store a Smi into the JSTypedArray::length field, the runtime function %TypedArrayInitializeFromArrayLike was still storing whatever it got from the JavaScript code, which is highly dependent on internal decisions of the ICs and the representation selection in the optimizing compilers, so that's pretty fragile. R=verwaest@chromium.org BUG=chromium:650933 Review-Url: https://codereview.chromium.org/2377943002 Cr-Commit-Position: refs/heads/master@{#39802}
9 lines
291 B
JavaScript
9 lines
291 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
var a = [0, 1, 2, 3, 4, 5, 6, 7, 8];
|
|
var o = {length: 1e40};
|
|
try { new Uint8Array(o); } catch (e) { }
|
|
new Float64Array(a);
|