7a38462e8b
Previously, CreateDataProperty would fail a DCHECK when used to create an integer indexed property on a TypedArray. This patch makes it throw a TypeError instead. The issue came up when Array.prototype.concat was repaired to use CreateDataProperty rather than SetElement; concat can be tricked into making a new TypedArray if it is given an Array whose prototype is a TypedArray. This patch prevents the issue. R=adamk LOG=Y BUG=chromium:596394 Review URL: https://codereview.chromium.org/1821723004 Cr-Commit-Position: refs/heads/master@{#35271}
14 lines
577 B
JavaScript
14 lines
577 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// In ES#sec-array.prototype.concat
|
|
// When concat makes a new integer-indexed exotic object, the resulting properties
|
|
// are non-configurable and cannot have CreateDataPropertyOrThrow called on them,
|
|
// so it throws a TypeError on failure to make a new property.
|
|
|
|
__v_0 = new Uint8Array(100);
|
|
array = new Array(10);
|
|
array.__proto__ = __v_0;
|
|
assertThrows(() => Array.prototype.concat.call(array), TypeError);
|