Commit 15aa8c58 authored by jameslahm's avatar jameslahm Committed by V8 LUCI CQ

[runtime] Invalidate TypedArraySpeciesLookupChain protector

... when setting the prototype of TypedArray constructor.

Setting the __proto__ of TypedArray constructor could change TypedArray's
@@species, thus we need to invalidate the @@species protector.

Bug: v8:13110
Change-Id: Ib3b2c88d1136965c221492ff81a26ae69533b356
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813063
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: 's avatarMarja Hölttä <marja@chromium.org>
Reviewed-by: 's avatarJakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82282}
parent ccc3138e
...@@ -4600,6 +4600,16 @@ void Isolate::UpdateNoElementsProtectorOnSetElement(Handle<JSObject> object) { ...@@ -4600,6 +4600,16 @@ void Isolate::UpdateNoElementsProtectorOnSetElement(Handle<JSObject> object) {
Protectors::InvalidateNoElements(this); Protectors::InvalidateNoElements(this);
} }
void Isolate::UpdateTypedArraySpeciesLookupChainProtectorOnSetPrototype(
Handle<JSObject> object) {
// Setting the __proto__ of TypedArray constructor could change TypedArray's
// @@species. So we need to invalidate the @@species protector.
if (object->IsTypedArrayConstructor() &&
Protectors::IsTypedArraySpeciesLookupChainIntact(this)) {
Protectors::InvalidateTypedArraySpeciesLookupChain(this);
}
}
static base::RandomNumberGenerator* ensure_rng_exists( static base::RandomNumberGenerator* ensure_rng_exists(
base::RandomNumberGenerator** rng, int seed) { base::RandomNumberGenerator** rng, int seed) {
if (*rng == nullptr) { if (*rng == nullptr) {
......
...@@ -1497,6 +1497,8 @@ class V8_EXPORT_PRIVATE Isolate final : private HiddenFactory { ...@@ -1497,6 +1497,8 @@ class V8_EXPORT_PRIVATE Isolate final : private HiddenFactory {
void UpdateNoElementsProtectorOnSetPrototype(Handle<JSObject> object) { void UpdateNoElementsProtectorOnSetPrototype(Handle<JSObject> object) {
UpdateNoElementsProtectorOnSetElement(object); UpdateNoElementsProtectorOnSetElement(object);
} }
void UpdateTypedArraySpeciesLookupChainProtectorOnSetPrototype(
Handle<JSObject> object);
void UpdateNoElementsProtectorOnNormalizeElements(Handle<JSObject> object) { void UpdateNoElementsProtectorOnNormalizeElements(Handle<JSObject> object) {
UpdateNoElementsProtectorOnSetElement(object); UpdateNoElementsProtectorOnSetElement(object);
} }
......
...@@ -5108,6 +5108,8 @@ Maybe<bool> JSObject::SetPrototype(Isolate* isolate, Handle<JSObject> object, ...@@ -5108,6 +5108,8 @@ Maybe<bool> JSObject::SetPrototype(Isolate* isolate, Handle<JSObject> object,
// Set the new prototype of the object. // Set the new prototype of the object.
isolate->UpdateNoElementsProtectorOnSetPrototype(real_receiver); isolate->UpdateNoElementsProtectorOnSetPrototype(real_receiver);
isolate->UpdateTypedArraySpeciesLookupChainProtectorOnSetPrototype(
real_receiver);
Handle<Map> new_map = Handle<Map> new_map =
Map::TransitionToPrototype(isolate, map, Handle<HeapObject>::cast(value)); Map::TransitionToPrototype(isolate, map, Handle<HeapObject>::cast(value));
......
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const array = new Uint8Array(1024);
Uint8Array.__proto__ = {
__proto__: Uint16Array.__proto__,
[Symbol.species]: Uint16Array,
};
const uint16 = array.slice();
assertTrue(uint16 instanceof Uint16Array);
assertEquals(uint16.length, 1024);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment