AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[rab/gsab] Fix toPrimitive resizing the backing store

Browse Source 
Bug: v8:11111,chromium:1381064
Change-Id: Id4f5f56758f0ec7999fe523a0849dd26d84ecc47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4002208
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84054}
This commit is contained in:
Marja Hölttä 2022-11-03 14:50:03 +01:00 committed by V8 LUCI CQ
parent 0a28d7eb3a
commit 28545f7aea
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/objects/objects.cc
View File

@ -2802,19 +2802,22 @@ Maybe<bool> Object::SetDataProperty(LookupIterator* it, Handle<Object> value) {
if (it->IsElement() && receiver->IsJSObject(isolate) &&
JSObject::cast(*receiver).HasTypedArrayOrRabGsabTypedArrayElements(
isolate)) {
auto receiver_ta = Handle<JSTypedArray>::cast(receiver);
ElementsKind elements_kind = JSObject::cast(*receiver).GetElementsKind();
if (IsBigIntTypedArrayElementsKind(elements_kind)) {
ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, to_assign,
BigInt::FromObject(isolate, value),
Nothing<bool>());
if (Handle<JSTypedArray>::cast(receiver)->IsDetachedOrOutOfBounds()) {
if (V8_UNLIKELY(receiver_ta->IsDetachedOrOutOfBounds() ||
it->index() >= receiver_ta->GetLength())) {
return Just(true);
}
} else if (!value->IsNumber() && !value->IsUndefined(isolate)) {
ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, to_assign,
Object::ToNumber(isolate, value),
Nothing<bool>());
if (Handle<JSTypedArray>::cast(receiver)->IsDetachedOrOutOfBounds()) {
if (V8_UNLIKELY(receiver_ta->IsDetachedOrOutOfBounds() ||
it->index() >= receiver_ta->GetLength())) {
return Just(true);
}
}

19
test/mjsunit/regress/regress-crbug-1381064.js Normal file
View File

@ -0,0 +1,19 @@
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-rab-gsab
(function NonBigIntRegressionTest() {
const rab = new ArrayBuffer(1050, {"maxByteLength": 2000});
const ta = new Uint8ClampedArray(rab);
ta[Symbol.toPrimitive] = () => { rab.resize(0); return 0; };
ta[916] = ta;
})();
(function BigIntRegressionTest() {
const rab = new ArrayBuffer(8 * 100, {"maxByteLength": 8 * 200});
const ta = new BigInt64Array(rab);
ta[Symbol.toPrimitive] = () => { rab.resize(0); return 0n; };
ta[1] = ta;
})();