47aaddc508
Cancel the unnecessary fix https://chromium-review.googlesource.com/c/v8/v8/+/4028559 and fix the problem at its root, TypedArraySpeciesCreateByLength. This fix also fixes other variants of this bug (see tests). Drive by: harden by setting length = 0 (not only byte_length) for length tracking TAs. Bug: v8:11111,chromium:1384474 Change-Id: I3ba660f7f600c0b946c75e7f13276703394c7df2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030259 Auto-Submit: Marja Hölttä <marja@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#84312}
21 lines
533 B
JavaScript
21 lines
533 B
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --harmony-rab-gsab
|
|
|
|
"use strict";
|
|
|
|
const rab = new ArrayBuffer(1744, {"maxByteLength": 4000});
|
|
let callSlice = true;
|
|
class MyFloat64Array extends Float64Array {
|
|
constructor() {
|
|
super(rab);
|
|
if (callSlice) {
|
|
callSlice = false; // Prevent recursion
|
|
assertThrows(() => { super.slice(); }, TypeError);
|
|
}
|
|
}
|
|
};
|
|
new MyFloat64Array();
|