v8/regress-crbug-898785.js at 97eff73b71a99ff6a8f97ea7ee8c15a058b96eaf - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Benedikt Meurer b8a911314d [builtins] Fix out-of-bounds in Array#lastIndexOf().

The fast-path in the `ArrayPrototypeLastIndexOf` torque implementation
didn't check that the `fromIndex` is within the bounds of the JSArray
_AFTER_ the call to ToInteger, which can have arbitrary side-effects,
i.e. it can change the length of the array.

R=yangguo@chromium.org

Bug: chromium:898785
Change-Id: I7ef84143ec8c33148f6e9d451bd52769d5074fb4
Reviewed-on: https://chromium-review.googlesource.com/c/1314329
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57204}

2018-11-02 07:42:50 +00:00

12 lines

315 B

JavaScript

Raw Blame History

 // Copyright 2018 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Flags: --allow-natives-syntax
 var a = [0, 1];
 var o = { [Symbol.toPrimitive]() { a.length = 1; return 2; } };
 a.push(2);
 a.lastIndexOf(5, o);