AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
b14a981496
v8/test/mjsunit/regress-707410.js
Peter Marshall c5ad59f4d4 [builtins] Use length field in TypedArrayConstructByArrayLike. 
The byte_length field of the TypedArray is not set to 0 on neutering,
but JSArrayBufferView::byte_length() returns 0 if WasNeutered() is
true. We should use the length property here instead.

We can just short-circuit if the length is 0. Added checks to the
memcpy path that assert length and neutered status are sane.

Bug:chromium:707472,chromium:707595,chromium:707364,chromium:707410

Change-Id: Ia1dec53f175357673012cbbc5e2fc40207e03623
Reviewed-on: https://chromium-review.googlesource.com/465987
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44336}
2017-04-03 12:45:22 +00:00

11 lines
321 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var a = new Uint8Array(1024*1024);
%ArrayBufferNeuter(a.buffer);
var b = new Uint8Array(a);
assertEquals(0, b.length);
Reference in New Issue View Git Blame Copy Permalink