[elements] limit TypedElementsAccessor::IncludesValue to backing store length

The contract is that the method is only invoked when there are no elements on the prototype, and this elements type forbids accessor elements. So it is safe to limit the search to the end of the backing store. BUG=chromium:634269, v8:5162 R=cbruni@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2209273002 Cr-Commit-Position: refs/heads/master@{#38344}
2016-08-04 08:53:10 -07:00 · 2016-08-04 08:53:10 -07:00 · 0d7f7dc3ee
commit 0d7f7dc3ee
parent b96823ff29
2 changed files with 13 additions and 0 deletions
--- a/src/elements.cc
+++ b/src/elements.cc
@ -2551,6 +2551,12 @@ class TypedElementsAccessor
      return Just(false);
    }

+    // Prototype has no elements, and not searching for the hole --- limit
+    // search to backing store length.
+    if (static_cast<uint32_t>(elements->length()) < length) {
+      length = elements->length();
+    }
+
    if (!std::isnan(search_value)) {
      for (uint32_t k = start_from; k < length; ++k) {
        double element_k = elements->get_scalar(k);
--- a/test/mjsunit/es7/regress/regress-634269.js
+++ b/test/mjsunit/es7/regress/regress-634269.js
@ -0,0 +1,7 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+__v_1 = new Uint8Array();
+Object.defineProperty(__v_1.__proto__, 'length', {value: 42});
+Array.prototype.includes.call(new Uint8Array(), 2);