15aa8c589c
... when setting the prototype of TypedArray constructor. Setting the __proto__ of TypedArray constructor could change TypedArray's @@species, thus we need to invalidate the @@species protector. Bug: v8:13110 Change-Id: Ib3b2c88d1136965c221492ff81a26ae69533b356 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813063 Commit-Queue: 王澳 <wangao.james@bytedance.com> Reviewed-by: Marja Hölttä <marja@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#82282}
14 lines
410 B
JavaScript
14 lines
410 B
JavaScript
// Copyright 2022 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
const array = new Uint8Array(1024);
|
|
Uint8Array.__proto__ = {
|
|
__proto__: Uint16Array.__proto__,
|
|
[Symbol.species]: Uint16Array,
|
|
};
|
|
|
|
const uint16 = array.slice();
|
|
assertTrue(uint16 instanceof Uint16Array);
|
|
assertEquals(uint16.length, 1024);
|