984048e8c7
The JSTypedArray instance is created early on in the TypedArray constructors, using EmitFastNewObject, which puts Undefined into all slots. But the code might still produce an exception afterwards leaving the JSTypedArray in a weird state. It's not a security issue since the object doesn't escape, but it confuses the heap verifier. Bug: chromium:885404, v8:4153, v8:7881, v8:8171 Change-Id: I5fb8131fcae69edf4a92602ed477dca305c3d6c7 Reviewed-on: https://chromium-review.googlesource.com/1233257 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#56019}
12 lines
346 B
JavaScript
12 lines
346 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --verify-heap --expose-gc
|
|
|
|
var ab = new ArrayBuffer(2);
|
|
try { new Int32Array(ab); } catch (e) { }
|
|
assertEquals(2, ab.byteLength);
|
|
gc();
|
|
assertEquals(2, ab.byteLength);
|