AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
97eff73b71
v8/test/mjsunit/regress/regress-crbug-1195977.js
Igor Sheludko 1decfe647f Regression test for http://crbug/1195977 
Bug: chromium:1195977
Change-Id: Ic2fe906be7d700701f402c7bfb36c42f5a93ce24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2919824
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74818}
2021-05-27 12:43:13 +00:00

33 lines
629 B
JavaScript
Raw Blame History

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
class Foo extends Float64Array {}
let u32 = new Foo(1000);
u32.__defineSetter__('length', function() {});
class MyArray extends Array {
static get [Symbol.species]() {
return function() { return u32; }
};
}
var w = new MyArray(300);
w.fill(1.1);
w[1] = {
valueOf: function() {
w.length = 1;
gc();
return 1.1;
}
};
var c = Array.prototype.concat.call(w);
for (var i = 0; i < 32; i++) {
print(u32[i]);
}
gc();
Reference in New Issue View Git Blame Copy Permalink