[builtins] Fix assertion failure in TypedArray.from()

Bug: chromium:1029658 Change-Id: I4cb201bbf0a05d2673fcb8a5d19e34a969294c5e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1946335 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#65304}
2019-12-03 12:15:18 +01:00 · 2019-12-03 12:15:18 +01:00 · ea79fb8cc0
commit ea79fb8cc0
parent 45ee6f4048
2 changed files with 21 additions and 2 deletions
--- a/src/builtins/typed-array-from.tq
+++ b/src/builtins/typed-array-from.tq
@ -119,8 +119,16 @@ namespace typed_array {
        const arrayLike: JSReceiver = ToObject_Inline(context, source);

        // 10. Let len be ? ToLength(? Get(arrayLike, "length")).
-        finalLength = Convert<uintptr>(GetLengthProperty(arrayLike));
-        finalSource = arrayLike;
+        const length = GetLengthProperty(arrayLike);
+
+        try {
+          finalLength = ChangeSafeIntegerNumberToUintPtr(length)
+              otherwise IfInvalidLength;
+          finalSource = arrayLike;
+        }
+        label IfInvalidLength deferred {
+          ThrowRangeError(kInvalidTypedArrayLength, length);
+        }
      }
      label IteratorNotCallable(_value: JSAny) deferred {
        ThrowTypeError(kIteratorSymbolNonCallable);
--- a/test/mjsunit/regress/regress-crbug-1029658.js
+++ b/test/mjsunit/regress/regress-crbug-1029658.js
@ -0,0 +1,11 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+delete Float64Array.prototype.__proto__[Symbol.iterator];
+let ar = new Float64Array();
+Object.defineProperty(ar, "length", {
+  get: function () { return 121567939849373; }
+});
+
+try { Float64Array.from(ar); } catch (e) {}