v8/test/mjsunit/regress/regress-crbug-1309467.js
Marja Hölttä f3f47a9fef [super IC] Add tests for a security bug
Bug: chromium:1309467,chromium:1308360,v8:9237
Change-Id: I77b004e263a9bed98a0dfe5936bdad055bde36a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3745365
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81530}
2022-07-05 14:17:18 +00:00

34 lines
684 B
JavaScript

// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let caught = false;
function main() {
class B {
m() {
try {
return super.nodeType; // The access site (megamorphic)
} catch (e) {
caught = true;
}
}
}
const node = new d8.dom.Div(); // API obj
B.prototype.__proto__ = node; // Lookup start obj == API obj
const b = new B();
b.x0 = 2;
b.x1 = 10;
b.x2 = 3;
b.x3 = 4;
for (let i = 0; i < 20000; i++) {
caught = false;
b.m();
assertTrue(caught);
}
}
main();