Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1251)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: test/cctest/test-api.cc

Issue 1099453007: Empty Array prototype elements protection needs to alert on length change. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: With comments. Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/objects.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index 7954598c60b14782bb45bd3ffb805b8c284e5c35..32420d1fa4507bc1413ee425df2dde84cc3ff5f1 100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -16684,6 +16684,8 @@ TEST(VerifyArrayPrototypeGuarantees) {
BreakArrayGuarantees("Object.prototype[3] = 'three';");
BreakArrayGuarantees("Array.prototype.push(1);");
BreakArrayGuarantees("Array.prototype.unshift(1);");
+ // Break fast array hole handling by changing length.
+ BreakArrayGuarantees("Array.prototype.length = 30;");
// Break fast array hole handling by prototype structure changes.
BreakArrayGuarantees("[].__proto__.__proto__ = { funny: true };");
// By sending elements to dictionary mode.
« no previous file with comments | « src/objects.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698