• bmeurer's avatar
    [csa] Bailout to the runtime for ToInteger conversion in Array.p.indexOf. · 9224d5d1
    bmeurer authored
    The fast-path for Array.prototype.indexOf first checks whether the
    receiver is a fast-mode JSArray (and there are no elements in the
    prototype chain in case of holey arrays), then loads the known
    JSArray::length, and afterwards calls ToInteger on the fromIndex.
    
    But this ToInteger(fromIndex) call can cause arbitrary side effects if
    the fromIndex is a JSReceiver, in particular it can invalidate the
    assumptions about the fast-mode of the receiver and the length. In the
    worst case this leads to OOB memory access.
    
    Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi
    nor undefined, which represents the common cases.
    
    R=jarin@chromium.org
    BUG=chromium:702058
    
    Review-Url: https://codereview.chromium.org/2756663002
    Cr-Commit-Position: refs/heads/master@{#43843}
    9224d5d1
builtins-array.cc 100 KB