coerced-P-grow.js (1513B)
1 // Copyright 2023 the V8 project authors. All rights reserved. 2 // This code is governed by the BSD license found in the LICENSE file. 3 4 /*--- 5 esid: sec-object.defineproperty 6 description: > 7 Object.defineProperty behaves correctly when the object is a 8 TypedArray backed by a resizable buffer that's grown during argument 9 coercion 10 includes: [compareArray.js, resizableArrayBufferUtils.js] 11 features: [resizable-arraybuffer] 12 ---*/ 13 14 // Fixed length. 15 for (let ctor of ctors) { 16 const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT, 8 * ctor.BYTES_PER_ELEMENT); 17 const fixedLength = new ctor(rab, 0, 4); 18 // Make fixedLength go OOB. 19 rab.resize(2 * ctor.BYTES_PER_ELEMENT); 20 const evil = { 21 toString: () => { 22 rab.resize(6 * ctor.BYTES_PER_ELEMENT); 23 return 0; 24 } 25 }; 26 Object.defineProperty(fixedLength, evil, { value: MayNeedBigInt(fixedLength, 8) }); 27 assert.compareArray(ToNumbers(fixedLength), [ 28 8, 29 0, 30 0, 31 0 32 ]); 33 } 34 35 // Length tracking. 36 for (let ctor of ctors) { 37 const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT, 8 * ctor.BYTES_PER_ELEMENT); 38 const lengthTracking = new ctor(rab, 0); 39 const evil = { 40 toString: () => { 41 rab.resize(6 * ctor.BYTES_PER_ELEMENT); 42 return 4; // Index valid after resize. 43 } 44 }; 45 Object.defineProperty(lengthTracking, evil, { value: MayNeedBigInt(lengthTracking, 8) }); 46 assert.compareArray(ToNumbers(lengthTracking), [ 47 0, 48 0, 49 0, 50 0, 51 8, 52 0 53 ]); 54 } 55 56 reportCompare(0, 0);