AuroraMiddleware/v8 - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Fork 0

Commit Graph

Author	SHA1	Message	Date
bmeurer	9224d5d1bc	[csa] Bailout to the runtime for ToInteger conversion in Array.p.indexOf. The fast-path for Array.prototype.indexOf first checks whether the receiver is a fast-mode JSArray (and there are no elements in the prototype chain in case of holey arrays), then loads the known JSArray::length, and afterwards calls ToInteger on the fromIndex. But this ToInteger(fromIndex) call can cause arbitrary side effects if the fromIndex is a JSReceiver, in particular it can invalidate the assumptions about the fast-mode of the receiver and the length. In the worst case this leads to OOB memory access. Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi nor undefined, which represents the common cases. R=jarin@chromium.org BUG=chromium:702058 Review-Url: https://codereview.chromium.org/2756663002 Cr-Commit-Position: refs/heads/master@{#43843}	2017-03-16 06:53:09 +00:00

Author

SHA1

Message

Date

bmeurer

9224d5d1bc

[csa] Bailout to the runtime for ToInteger conversion in Array.p.indexOf.

The fast-path for Array.prototype.indexOf first checks whether the
receiver is a fast-mode JSArray (and there are no elements in the
prototype chain in case of holey arrays), then loads the known
JSArray::length, and afterwards calls ToInteger on the fromIndex.

But this ToInteger(fromIndex) call can cause arbitrary side effects if
the fromIndex is a JSReceiver, in particular it can invalidate the
assumptions about the fast-mode of the receiver and the length. In the
worst case this leads to OOB memory access.

Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi
nor undefined, which represents the common cases.

R=jarin@chromium.org
BUG=chromium:702058

Review-Url: https://codereview.chromium.org/2756663002
Cr-Commit-Position: refs/heads/master@{#43843}

2017-03-16 06:53:09 +00:00

1 Commits