-
Jakob Gruber authored
This reduction relies on a known object layout of the regexp instance in order to access the lastIndex field through a statically-determined offset. Prior to this CL, we checked only for instance types, not for the map, and thus it was possible to read garbage from either inside or outside the current object. Bug: chromium:1024758,v8:7779 Change-Id: I1eec8220797f443bdf3d05804e54f33b21fa2f00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924353Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#65039}
aecd8437