15c227befb
Previously, we were looking up the prototype of the receiver and checking that against %TypedArrayPrototype% before invalidating the protector cell. This is incorrect as it's possible to patch the prototype and then change the constructor property, bypassing this check. This CL adds a new instance type to prototype of all TypedArray constructors and checks the receiver against this instance type. TBR: tebbi@chromium.org Bug: v8:11274, v8:11256 Change-Id: I2ff6280e4cf820b06c5593fe4addd36f7ac656c4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2594776 Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#71799}
21 lines
610 B
JavaScript
21 lines
610 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
var typedArrayProto = Uint8Array.prototype.__proto__;
|
|
var typedArrayConstructor = Uint8Array.prototype.constructor[Symbol.species];
|
|
var called = false;
|
|
|
|
Uint8Array.prototype.__proto__ = {};
|
|
Uint8Array.prototype.constructor = {
|
|
get [Symbol.species]() {
|
|
called = true;
|
|
return typedArrayConstructor;
|
|
}
|
|
}
|
|
|
|
Uint8Array.prototype.__proto__ = typedArrayProto;
|
|
var arr = new Uint8Array(8);
|
|
arr.slice(1, 5);
|
|
assertTrue(called);
|