47aaddc508
Cancel the unnecessary fix https://chromium-review.googlesource.com/c/v8/v8/+/4028559 and fix the problem at its root, TypedArraySpeciesCreateByLength. This fix also fixes other variants of this bug (see tests). Drive by: harden by setting length = 0 (not only byte_length) for length tracking TAs. Bug: v8:11111,chromium:1384474 Change-Id: I3ba660f7f600c0b946c75e7f13276703394c7df2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030259 Auto-Submit: Marja Hölttä <marja@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#84312}
15 lines
566 B
JavaScript
15 lines
566 B
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --harmony-rab-gsab
|
|
|
|
const rab1 = new ArrayBuffer(4, {"maxByteLength": 100});
|
|
const ta = new Int8Array(rab1);
|
|
const rab2 = new ArrayBuffer(10, {"maxByteLength": 20});
|
|
const lengthTracking = new Int8Array(rab2);
|
|
rab2.resize(0);
|
|
ta.constructor = { [Symbol.species]: function() { return lengthTracking; } };
|
|
assertThrows(() => { ta.filter(() => { return true; }); },
|
|
TypeError);
|