[ tor-browser ].git.dasho

coerced-P-shrink.js (1353B)
      1 // Copyright 2023 the V8 project authors. All rights reserved.
      2 // This code is governed by the BSD license found in the LICENSE file.
      3 
      4 /*---
      5 esid: sec-object.defineproperty
      6 description: >
      7  Object.defineProperty behaves correctly when the object is a
      8  TypedArray backed by a resizable buffer that's shrunk during argument
      9  coercion
     10 includes: [compareArray.js, resizableArrayBufferUtils.js]
     11 features: [resizable-arraybuffer]
     12 ---*/
     13 
     14 // Fixed length.
     15 for (let ctor of ctors) {
     16  const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT, 8 * ctor.BYTES_PER_ELEMENT);
     17  const fixedLength = new ctor(rab, 0, 4);
     18  const evil = {
     19    toString: () => {
     20      rab.resize(2 * ctor.BYTES_PER_ELEMENT);
     21      return 0;
     22    }
     23  };
     24  assert.throws(TypeError, () => {
     25    Object.defineProperty(fixedLength, evil, { value: MayNeedBigInt(fixedLength, 8) });
     26  });
     27 }
     28 
     29 // Length tracking.
     30 for (let ctor of ctors) {
     31  const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT, 8 * ctor.BYTES_PER_ELEMENT);
     32  const lengthTracking = new ctor(rab, 0);
     33  const evil = {
     34    toString: () => {
     35      rab.resize(2 * ctor.BYTES_PER_ELEMENT);
     36      return 3;  // Index too large after resize.
     37    }
     38  };
     39  assert.throws(TypeError, () => {
     40    Object.defineProperty(lengthTracking, evil, { value: MayNeedBigInt(lengthTracking, 8) });
     41  });
     42 }
     43 
     44 reportCompare(0, 0);
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE