3bcf2b83eb
This CL fixes a bug where execution would continue on a fast-path even though a previous recursion step bailed to the slow path. This would allow possibly illegal loads that could leak to JS. Drive-by change: Instead of bailing to the slow-path on each recursion step, we now bail completely and start the slow-path afterwards. R=cbruni@chromium.org, jgruber@chromium.org Bug: chromium:854299, v8:7382 Change-Id: Ib2fd5d85dbd0c3894d7775c4f62e053c31b5e5d1 Reviewed-on: https://chromium-review.googlesource.com/1107702 Commit-Queue: Simon Zünd <szuend@google.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53892}
28 lines
560 B
JavaScript
28 lines
560 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --expose-gc
|
|
|
|
let rand = n => Math.floor(Math.random() * n);
|
|
|
|
for (let i = 0; i < 1000; ++i) {
|
|
array = [];
|
|
let len = rand(30);
|
|
for(let i = 0; i < len; ++i) {
|
|
array[i] = [i + 0.1];
|
|
}
|
|
|
|
let counter = 0;
|
|
array.sort((a, b) => {
|
|
a = a || [0];
|
|
b = b || [0];
|
|
|
|
if (counter++ == rand(30)) {
|
|
array.length = 1;
|
|
gc();
|
|
}
|
|
return a[0] - b[0];
|
|
});
|
|
}
|