2d10033fba
Converting an object to an array length can freeze the array whose length is being set, but SetLength for the frozen elements accessor is supposedly unreachable. This fix extends the existing special handling for suddenly-readonly lengths to cover this case as well. Prior art: https://codereview.chromium.org/2543553002 Bug: chromium:1044911 Change-Id: I85d2e79446a8d9c1d22cd86ddf828328bf51a1a1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023555 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#66020}
13 lines
272 B
JavaScript
13 lines
272 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let a = [0];
|
|
let l = {
|
|
valueOf: function() {
|
|
Object.freeze(a);
|
|
return 1;
|
|
}
|
|
};
|
|
a.length = l;
|