diff options
Diffstat (limited to 'deps/v8/test/mjsunit')
-rw-r--r-- | deps/v8/test/mjsunit/regress/regress-crbug-867776.js | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-867776.js b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js new file mode 100644 index 0000000000..f108f2acc4 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js @@ -0,0 +1,22 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --expose-gc + +for (var i = 0; i < 3; i++) { + var array = new BigInt64Array(200); + + function evil_callback() { + %ArrayBufferNeuter(array.buffer); + gc(); + return 1094795585n; + } + + var evil_object = {valueOf: evil_callback}; + var root; + try { + root = BigInt64Array.of.call(function() { return array }, evil_object); + } catch(e) {} + gc(); +} |