Title: [235905] trunk/JSTests
- Revision
- 235905
- Author
- [email protected]
- Date
- 2018-09-11 11:25:56 -0700 (Tue, 11 Sep 2018)
Log Message
Test for array initialization in arrayProtoFuncSplice.
https://bugs.webkit.org/show_bug.cgi?id=170253
<rdar://problem/31328773>
Rubber-stamped by Saam Barati.
* stress/regress-170253.js: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (235904 => 235905)
--- trunk/JSTests/ChangeLog 2018-09-11 18:22:17 UTC (rev 235904)
+++ trunk/JSTests/ChangeLog 2018-09-11 18:25:56 UTC (rev 235905)
@@ -1,5 +1,15 @@
2018-09-11 Mark Lam <[email protected]>
+ Test for array initialization in arrayProtoFuncSplice.
+ https://bugs.webkit.org/show_bug.cgi?id=170253
+ <rdar://problem/31328773>
+
+ Rubber-stamped by Saam Barati.
+
+ * stress/regress-170253.js: Added.
+
+2018-09-11 Mark Lam <[email protected]>
+
Test for IntlObject initialization.
https://bugs.webkit.org/show_bug.cgi?id=170251
<rdar://problem/31328419>
Added: trunk/JSTests/stress/regress-170253.js (0 => 235905)
--- trunk/JSTests/stress/regress-170253.js (rev 0)
+++ trunk/JSTests/stress/regress-170253.js 2018-09-11 18:25:56 UTC (rev 235905)
@@ -0,0 +1,12 @@
+// This test passes if it does not crash.
+
+Array.prototype.__defineGetter__(1000, () => 0);
+
+for (let i = 0; i < 0x1000; i++)
+ new Array(0x10).fill([{}, {}, {}, {}]);
+
+for (let i = 0; i < 0x1000; i++) {
+ let x = {length: 0x10};
+ x.__defineGetter__(0, () => gc());
+ Array.prototype.splice.call(x, 0);
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
