9459c27b68
Skip over DCHECK in fuzzing that is always checked later by getting the value from a Maybe object. Bug: chromium:1359230, chromium:1360735 Change-Id: I9512e27fdeb1d6919e24bd631ae2caece7aed466 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874934 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#83075}
31 lines
720 B
JavaScript
31 lines
720 B
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --fuzzing
|
|
|
|
|
|
let v0 = -1.7976931348623157e+308;
|
|
const v4 = d8.serializer.serialize(v0);
|
|
const v5 = new Uint8Array(v4);
|
|
v5[2] = 73;
|
|
try {
|
|
d8.serializer.deserialize(v4);
|
|
} catch(e) { }
|
|
|
|
|
|
const str = /\dei7/sgiuy;
|
|
const obj = {"a":str, "length":9007199254740991};
|
|
const increment = 2061353130;
|
|
let n = increment * 21;
|
|
for (let i = 0; i < 52; i++) {
|
|
n += increment;
|
|
try {
|
|
const v9 = d8.serializer.serialize(obj);
|
|
const v10 = new Uint8Array(v9);
|
|
v10[6] = n;
|
|
const v11 = d8.serializer.deserialize(v9);
|
|
} catch(v12) {
|
|
}
|
|
}
|