6c12d57ead
This fixes the case where the index passed to {HMaybeGrowElements} used
to derive the new capacity for the elements backing store does not fit
into Smi range. Such an overflow would fail the capacity check and cause
growing to be skipped. Subsequent keyed stores would potentially go out
of bounds.
R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-686427
BUG=chromium:686427
Review-Url: https://codereview.chromium.org/2686263002
Cr-Commit-Position: refs/heads/master@{#43101}
16 lines
415 B
JavaScript
16 lines
415 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function f(a, base) {
|
|
a[base + 4] = 23;
|
|
return a;
|
|
}
|
|
var i = 1073741824;
|
|
assertEquals(23, f({}, 1)[1 + 4]);
|
|
assertEquals(23, f([], 2)[2 + 4]);
|
|
%OptimizeFunctionOnNextCall(f);
|
|
assertEquals(23, f({}, i)[i + 4]);
|