• Sathya Gunasekaran's avatar
    [runtime] Fix TypedArrayPrototype protector cell checks · 15c227be
    Sathya Gunasekaran authored
    Previously, we were looking up the prototype of the receiver and
    checking that against %TypedArrayPrototype% before invalidating the
    protector cell.
    
    This is incorrect as it's possible to patch the prototype and then
    change the constructor property, bypassing this check.
    
    This CL adds a new instance type to prototype of all TypedArray
    constructors and checks the receiver against this instance type.
    
    TBR: tebbi@chromium.org
    Bug: v8:11274, v8:11256
    Change-Id: I2ff6280e4cf820b06c5593fe4addd36f7ac656c4
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2594776
    Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
    Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#71799}
    15c227be
value-serializer.cc 80.8 KB