9224d5d1bc
The fast-path for Array.prototype.indexOf first checks whether the receiver is a fast-mode JSArray (and there are no elements in the prototype chain in case of holey arrays), then loads the known JSArray::length, and afterwards calls ToInteger on the fromIndex. But this ToInteger(fromIndex) call can cause arbitrary side effects if the fromIndex is a JSReceiver, in particular it can invalidate the assumptions about the fast-mode of the receiver and the length. In the worst case this leads to OOB memory access. Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi nor undefined, which represents the common cases. R=jarin@chromium.org BUG=chromium:702058 Review-Url: https://codereview.chromium.org/2756663002 Cr-Commit-Position: refs/heads/master@{#43843}
11 lines
349 B
JavaScript
11 lines
349 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
var arr = [];
|
|
for (var i = 0; i < 100000; i++) arr[i] = [];
|
|
var fromIndex = {valueOf: function() { arr.length = 0; }};
|
|
arr.indexOf({}, fromIndex);
|