129f770148
When constructing a TypedArray by length, only actually setup the JSTypedArray instance once the buffer is allocated, as only at that time it's known whether the byte length is fine. Otherwise we confuse the heap verifier. Bug: chromium:887891 Change-Id: I407ff9a2a053dd11ef764e4e32f482abb27eb0a8 Reviewed-on: https://chromium-review.googlesource.com/1238494 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#56131}
11 lines
327 B
JavaScript
11 lines
327 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --verify-heap
|
|
|
|
const l = 1000000000;
|
|
const a = [];
|
|
function foo() { var x = new Int32Array(l); }
|
|
try { foo(); } catch (e) { }
|