Reviewers: Jakob,
Description:
Check whether a typed array was neutered before writing to it
As demanded by the spec.
BUG=chromium:516251
[email protected]
LOG=n
Please review this at https://codereview.chromium.org/1261453004/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+4, -0 lines):
M src/objects.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
8bb95c518c79327fe1548fcdf8cf017a9004cd16..0cd6b6613f1188fc1e29b068d234bbd5054f4b10
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3322,6 +3322,10 @@ MaybeHandle<Object>
Object::SetDataProperty(LookupIterator* it,
// have been invalidated since typed array elements cannot be
reconfigured
// in any way.
it->ReloadHolderMap();
+
+ // We have to recheck the length. However, it can only change if the
+ // underlying buffer was neutered, so just check that.
+ if (Handle<ArrayBufferView>::cast(receiver)->WasNeutered()) return
value;
}
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
