From 4cdfb46a6db67505cf256c4ccd2fdd49b95e529a Mon Sep 17 00:00:00 2001 From: "dslomov@chromium.org" Date: Thu, 27 Mar 2014 12:54:26 +0000 Subject: [PATCH] Fix JSObject::SetElement for fixed typed array elements. R=ulan@chromium.org BUG=357108 LOG=N Review URL: https://codereview.chromium.org/214543003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20300 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects.cc | 3 ++- test/mjsunit/regress/regress-357108.js | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-357108.js diff --git a/src/objects.cc b/src/objects.cc index 0013e72..a6d0403 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -12410,7 +12410,8 @@ Handle JSObject::SetElement(Handle object, SetPropertyMode set_mode) { Isolate* isolate = object->GetIsolate(); - if (object->HasExternalArrayElements()) { + if (object->HasExternalArrayElements() || + object->HasFixedTypedArrayElements()) { if (!value->IsNumber() && !value->IsUndefined()) { bool has_exception; Handle number = diff --git a/test/mjsunit/regress/regress-357108.js b/test/mjsunit/regress/regress-357108.js new file mode 100644 index 0000000..b20975b --- /dev/null +++ b/test/mjsunit/regress/regress-357108.js @@ -0,0 +1,20 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +// +// Flags: --typed-array-max-size-in-heap=64 + +function TestArray(constructor) { + function Check(a) { + a[0] = ""; + assertEquals(0, a[0]); + a[0] = {}; + assertEquals(0, a[0]); + a[0] = { valueOf : function() { return 27; } }; + assertEquals(27, a[0]); + } + Check(new constructor(1)); + Check(new constructor(100)); +} + +TestArray(Uint8Array); -- 2.7.4