ca5deb1ff8
When an Array subclass is used as the receiver for concat, or with certain usages of @@species, the output that's constructed is of a different type with new slow path logic. This slow path still made references to elements, so it's important that bounds checking for a too-long result still be done. This patch repairs that bounds checking. R=cbruni LOG=Y BUG=chromium:592340 Review URL: https://codereview.chromium.org/1782443002 Cr-Commit-Position: refs/heads/master@{#34636}
14 lines
418 B
JavaScript
14 lines
418 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
class MyArray extends Array { }
|
|
Object.prototype[Symbol.species] = MyArray;
|
|
delete Array[Symbol.species];
|
|
__v_1 = Math.pow(2, 31);
|
|
__v_2 = [];
|
|
__v_2[__v_1] = 31;
|
|
__v_4 = [];
|
|
__v_4[__v_1 - 2] = 33;
|
|
assertThrows(() => __v_2.concat(__v_4), RangeError);
|