v8/test/mjsunit/regress/regress-crbug-1384474-variant2.js
Marja Hölttä 47aaddc508 [rab/gsab] Now really fix the destination being resizable in TA.p.slice
Cancel the unnecessary fix
https://chromium-review.googlesource.com/c/v8/v8/+/4028559
and fix the problem at its root, TypedArraySpeciesCreateByLength.

This fix also fixes other variants of this bug (see tests).

Drive by: harden by setting length = 0 (not only byte_length) for length
tracking TAs.

Bug: v8:11111,chromium:1384474
Change-Id: I3ba660f7f600c0b946c75e7f13276703394c7df2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030259
Auto-Submit: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84312}
2022-11-16 21:38:50 +00:00

14 lines
530 B
JavaScript

// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-rab-gsab
const rab1 = new ArrayBuffer(4, {"maxByteLength": 100});
const ta = new Int8Array(rab1);
const rab2 = new ArrayBuffer(10, {"maxByteLength": 20});
const lengthTracking = new Int8Array(rab2);
rab2.resize(0);
ta.constructor = { [Symbol.species]: function() { return lengthTracking; } };
assertThrows(() => { ta.slice(); }, TypeError);