68cc5c6796
... which didn't check writability of array length on appending a new element to an array. Bug: chromium:1041251 Change-Id: I6935e505a4844e5b22abe9d4a42786619499daa6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023551 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#66023}
15 lines
413 B
JavaScript
15 lines
413 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let v0 = [0, 1];
|
|
v0.constructor = {
|
|
[Symbol.species]: function() {
|
|
let v1 = [2];
|
|
Object.defineProperty(v1, "length", {writable: false});
|
|
return v1;
|
|
}
|
|
}
|
|
|
|
assertThrows(() => Array.prototype.map.call(v0, function() {}), TypeError);
|