diff options
Diffstat (limited to 'deps/v8/test/mjsunit/regress/regress-821137.js')
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-821137.js | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/deps/v8/test/mjsunit/regress/regress-821137.js b/deps/v8/test/mjsunit/regress/regress-821137.js new file mode 100644 index 0000000000..639b3b998a --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-821137.js @@ -0,0 +1,27 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Tests that creating an iterator that shrinks the array populated by +// Array.from does not lead to out of bounds writes. +let oobArray = []; +let maxSize = 1028 * 8; +Array.from.call(function() { return oobArray }, {[Symbol.iterator] : _ => ( + { + counter : 0, + next() { + let result = this.counter++; + if (this.counter > maxSize) { + oobArray.length = 0; + return {done: true}; + } else { + return {value: result, done: false}; + } + } + } +) }); +assertEquals(oobArray.length, maxSize); + +// iterator reset the length to 0 just before returning done, so this will crash +// if the backing store was not resized correctly. +oobArray[oobArray.length - 1] = 0x41414141; |