AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
cabbc128e4
v8/test/mjsunit/regress/regress-crbug-1402139.js
Marja Hölttä 250525be1d [rab/gsab] Fix ValueSerializer error handling 
Error mode: a TypedArray backed by RAB claims it's not backed by RAB.

Drive-by: disable resizability even harder when --harmony-rab-gsab is
not on.

Bug: v8:11111, chromium:1402139
Change-Id: I937c69f6124419cc8d29da0195686bc3b9a5c281
Fixed: chromium:1402139
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110751
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84952}
2022-12-20 10:38:01 +00:00

14 lines
485 B
JavaScript
Raw Blame History

// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --harmony-rab-gsab
const rab = new ArrayBuffer(363, {"maxByteLength": 1000});
const ta = new Uint8Array(rab);
rab.resize(80);
const data = d8.serializer.serialize(ta);
const dataArray = new Uint8Array(data);
dataArray[dataArray.length - 1] = 17;
assertThrows(() => { d8.serializer.deserialize(data); });
Reference in New Issue View Git Blame Copy Permalink