AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
813094ac8c
v8/test/mjsunit/regress/regress-816317.js
Peter Marshall ec5c342798 [typedarray] Fix failing DCHECK for TA.from with a length getter. 
I loosened the DCHECKs here but I think they are still fundamentally
safe: `length` must be <= the actual length of the source (so that
there are actually enough elements to copy), and `length` must also be
<= the destination length, minus the offset (so there is enough space
to copy the elements into).

Bug: chromium:816317
Change-Id: Ice00ac60f4884363f6065ffee71f6ab1d1b32dbc
Reviewed-on: https://chromium-review.googlesource.com/937209
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51566}
2018-02-26 13:42:23 +00:00

13 lines
347 B
JavaScript
Raw Blame History

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let a = new Float64Array(15);
Object.defineProperty(a, "length", {
get: function () {
return 6;
}
});
delete a.__proto__.__proto__[Symbol.iterator];
Float64Array.from(a);
Reference in New Issue View Git Blame Copy Permalink