5020db7f9c
Using .caller, one can get access to the internal function that invokes the handler passed to Promise.prototype.then. This internal function is a TF builtin that was set up as non-native and without an argument adaptor. As a consequence of this, when accessing .arguments on it, the frame-walking logic in the .arguments accessor thinks the number of arguments is -1 and we try to allocate an array of size -1. This CL marks the builtin function as native (making its .arguments be null), along with a few others that may have been incorrect in the same way. BUG=chromium:682349 Review-Url: https://codereview.chromium.org/2672453002 Cr-Commit-Position: refs/heads/master@{#42855}
14 lines
349 B
JavaScript
14 lines
349 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
let success = false;
|
|
function f() {
|
|
success = (f.caller.arguments === null);
|
|
}
|
|
Promise.resolve().then(f);
|
|
%RunMicrotasks();
|
|
assertTrue(success);
|