f52c8f9f28
context_name pointer can be changed after GC triggered by AddProperty. R=ishell@chromium.org Bug: chromium:732717 Change-Id: Ie8e2497fa9f3bac80e0ad68153956e382731e284 Reviewed-on: https://chromium-review.googlesource.com/532994 Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#45898}
18 lines
569 B
JavaScript
18 lines
569 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let {session, contextGroup, Protocol} =
|
|
InspectorTest.start('Regression test for crbug.com/732717');
|
|
|
|
Protocol.Runtime.evaluate({expression: `var v3 = {};
|
|
var v6 = {};
|
|
Array.prototype.__defineGetter__(0, function() {
|
|
this[0] = 2147483647;
|
|
})
|
|
Array.prototype.__defineSetter__(0, function() {
|
|
console.context(v3);
|
|
this[0] = v6;
|
|
});
|
|
v60 = Array(0x8000).join();`}).then(InspectorTest.completeTest);
|