[rab/gsab] Fix TA.p.lastIndexOf + evil resize to 0

Evil resizes were tested. Evil resizes to 0 were not. Bug: v8:11111,chromium:1393375 Change-Id: Ie7318ae300d9779664d97e61214fed61f061f36d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4053554 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#84489}
2022-11-25 13:07:32 +01:00 · 2022-11-25 13:07:32 +01:00 · 9010d09a05
commit 9010d09a05
parent 2507b38af2
3 changed files with 35 additions and 1 deletions
--- a/src/objects/elements.cc
+++ b/src/objects/elements.cc
@ -3587,10 +3587,13 @@ class TypedElementsAccessor
    }

    size_t typed_array_length = typed_array.GetLength();
-    if (start_from >= typed_array_length) {
+    if (V8_UNLIKELY(start_from >= typed_array_length)) {
      // This can happen if the TypedArray got resized when we did ToInteger
      // on the last parameter of lastIndexOf.
      DCHECK(typed_array.IsVariableLength());
+      if (typed_array_length == 0) {
+        return Just<int64_t>(-1);
+      }
      start_from = typed_array_length - 1;
    }

--- a/test/mjsunit/regress/regress-crbug-1393375.js
+++ b/test/mjsunit/regress/regress-crbug-1393375.js
@ -0,0 +1,14 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-rab-gsab
+
+const rab = new ArrayBuffer(50, {"maxByteLength": 100});
+const ta = new Int8Array(rab);
+const evil = {};
+evil.valueOf = function() {
+  rab.resize(0);
+  return 5;
+}
+ta.lastIndexOf(1, evil);
--- a/test/mjsunit/typedarray-resizablearraybuffer.js
+++ b/test/mjsunit/typedarray-resizablearraybuffer.js
@ -5001,6 +5001,23 @@ function LastIndexOfParameterConversionShrinks(lastIndexOfHelper) {
    // 2 no longer found.
    assertEquals(-1, lastIndexOfHelper(lengthTracking, 2, evil));
  }
+  // Test resizing to 0 separately since it's special.
+  for (let ctor of ctors) {
+    const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                           8 * ctor.BYTES_PER_ELEMENT);
+    const lengthTracking = new ctor(rab);
+    for (let i = 0; i < 4; ++i) {
+      WriteToTypedArray(lengthTracking, i, i);
+    }
+
+    const evil = { valueOf: () => {
+      rab.resize(0);
+      return 2;
+    }};
+    assertEquals(2, lastIndexOfHelper(lengthTracking, 2));
+    // 2 no longer found.
+    assertEquals(-1, lastIndexOfHelper(lengthTracking, 2, evil));
+  }
 }
 LastIndexOfParameterConversionShrinks(TypedArrayLastIndexOfHelper);
 LastIndexOfParameterConversionShrinks(ArrayLastIndexOfHelper);