Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(808)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: test/cctest/test-api.cc

Issue 1092043002: Protect the emptiness of Array prototype elements with a PropertyCell. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Try again :p. Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/objects.cc ('k') | test/mjsunit/concurrent-initial-prototype-change.js » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index 3a6ebc803d4068e097d01e484aa33d3453c32e85..869199c5dd9be8f58929342067f4b81ca02b5d6f 100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -16641,6 +16641,52 @@ UNINITIALIZED_TEST(DisposeIsolateWhenInUse) {
}
+static void BreakArrayGuarantees(const char* script) {
+ v8::Isolate* isolate1 = v8::Isolate::New();
+ isolate1->Enter();
+ v8::Persistent<v8::Context> context1;
+ {
+ v8::HandleScope scope(isolate1);
+ context1.Reset(isolate1, Context::New(isolate1));
+ }
+
+ {
+ v8::HandleScope scope(isolate1);
+ v8::Local<v8::Context> context =
+ v8::Local<v8::Context>::New(isolate1, context1);
+ v8::Context::Scope context_scope(context);
+ v8::internal::Isolate* i_isolate =
+ reinterpret_cast<v8::internal::Isolate*>(isolate1);
+ CHECK_EQ(true, i_isolate->IsFastArrayConstructorPrototypeChainIntact());
+ // Run something in new isolate.
+ CompileRun(script);
+ CHECK_EQ(false, i_isolate->IsFastArrayConstructorPrototypeChainIntact());
+ }
+ isolate1->Exit();
+ isolate1->Dispose();
+}
+
+
+TEST(VerifyArrayPrototypeGuarantees) {
+ // Break fast array hole handling by element changes.
+ BreakArrayGuarantees("[].__proto__[1] = 3;");
+ BreakArrayGuarantees("Object.prototype[3] = 'three';");
+ BreakArrayGuarantees("Array.prototype.push(1);");
+ BreakArrayGuarantees("Array.prototype.unshift(1);");
+ // Break fast array hole handling by prototype structure changes.
+ BreakArrayGuarantees("[].__proto__.__proto__ = { funny: true };");
+ // By sending elements to dictionary mode.
+ BreakArrayGuarantees("Object.freeze(Array.prototype);");
+ BreakArrayGuarantees("Object.freeze(Object.prototype);");
+ BreakArrayGuarantees(
+ "Object.defineProperty(Array.prototype, 0, {"
+ " get: function() { return 3; }});");
+ BreakArrayGuarantees(
+ "Object.defineProperty(Object.prototype, 0, {"
+ " get: function() { return 3; }});");
+}
+
+
TEST(RunTwoIsolatesOnSingleThread) {
// Run isolate 1.
v8::Isolate* isolate1 = v8::Isolate::New();
« no previous file with comments | « src/objects.cc ('k') | test/mjsunit/concurrent-initial-prototype-change.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698