src/third_party/v8/test/mjsunit/regress/regress-crbug-867776.js - cobalt - Git at Google

 // Copyright 2018 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // Flags: --allow-natives-syntax --expose-gc

 for (var i = 0; i < 3; i++) {
   var array = new BigInt64Array(200);

   function evil_callback() {
     %ArrayBufferDetach(array.buffer);
     gc();
     return 1094795585n;
   }

   var evil_object = {valueOf: evil_callback};
   var root;
   try {
     root = BigInt64Array.of.call(function() { return array }, evil_object);
   } catch(e) {}
   gc();
 }
	// Copyright 2018 the V8 project authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// Flags: --allow-natives-syntax --expose-gc

	for (var i = 0; i < 3; i++) {
	var array = new BigInt64Array(200);

	function evil_callback() {
	%ArrayBufferDetach(array.buffer);
	gc();
	return 1094795585n;
	}

	var evil_object = {valueOf: evil_callback};
	var root;
	try {
	root = BigInt64Array.of.call(function() { return array }, evil_object);
	} catch(e) {}
	gc();
	}