[rab/gsab] Zero out length tracking TA byte_length

Only hardening; no behavioral changes. Bug: v8:11111 Change-Id: I66765b661485334b1b14d9ceaa16a8df355d1898 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3826246Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#82429}

[rab/gsab] Zero out length tracking TA byte_length
Only hardening; no behavioral changes. Bug: v8:11111 Change-Id: I66765b661485334b1b14d9ceaa16a8df355d1898 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3826246Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#82429}
1cc4331e · Marja Hölttä · V8 LUCI CQ · ab6bf0ce · 1cc4331e
Commit 1cc4331e authored Aug 12, 2022 by Marja Hölttä Committed by V8 LUCI CQ Aug 12, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

typed-array-createtypedarray.tq src/builtins/typed-array-createtypedarray.tq +8 -1

No files found.
--- a/src/builtins/typed-array-createtypedarray.tq
+++ b/src/builtins/typed-array-createtypedarray.tq
@@ -57,7 +57,14 @@ transitioning macro AllocateTypedArray(implicit context: Context)(
  typedArray.elements = elements;
  typedArray.buffer = buffer;
  typedArray.byte_offset = byteOffset;
-  typedArray.byte_length = byteLength;
+  if (isLengthTracking) {
+    dcheck(IsResizableArrayBuffer(buffer));
+    // Make the byte_length of length-tracking TAs zero, so that we won't
+    // accidentally use it and access invalid data.
+    typedArray.byte_length = 0;
+  } else {
+    typedArray.byte_length = byteLength;
+  }
  typedArray.length = length;
  typedArray.bit_field.is_length_tracking = isLengthTracking;
  typedArray.bit_field.is_backed_by_rab =