db1115e267
Fix Heap-use-after-free READ 2 in Intl.Segmenter when the segments got free during the iteration We need to keep a copy of the string in the iterator instead of depending on the one referenced from the segments. Bug: chromium:1121156, v8:6891 Change-Id: I26ef5baccaa470dc1bd8cc229c737f556d27160e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2376173 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#69575}
12 lines
379 B
JavaScript
12 lines
379 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --harmony-intl-segmenter --expose-gc
|
|
|
|
let segmenter = new Intl.Segmenter();
|
|
let segments = segmenter.segment(undefined);
|
|
for (let seg of segments) {
|
|
segments = gc(); // free segments and call gc.
|
|
}
|