AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
fd9c0d12ed
v8/test/mjsunit/regress/wasm/regress-946350.js
Clemens Hammacher 6111c6104a [wasm] Fix missing GC visit of instance elements 
The elements of a {WasmInstanceObject} were not visited during GC,
leading to crashes when using them later.
This CL fixes this by visiting the whole {JSObject} header, consisting
of properties and elements.

R=titzer@chromium.org

Bug: chromium:839919, chromium:946350
Change-Id: I070fb3e6a7fd87a7288fc68b284100a2f9c72e9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541237
Auto-Submit: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60488}
2019-03-27 13:04:26 +00:00

14 lines
388 B
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
load('test/mjsunit/wasm/wasm-module-builder.js');
var builder = new WasmModuleBuilder();
var instance = builder.instantiate();
instance[1] = undefined;
gc();
Object.getOwnPropertyNames(instance);
Reference in New Issue View Git Blame Copy Permalink