[csa] Fix is-neutered check in EmitBigTypedArrayElementStore

The ToBigInt conversion can have side effects, so the check for neutered-ness must happen afterwards. Bug: chromium:867776 Change-Id: I6e550c77a284da4cf132c21a6c3b1ed8f34eedc9 Reviewed-on: https://chromium-review.googlesource.com/1153553 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#54761}

[csa] Fix is-neutered check in EmitBigTypedArrayElementStore
The ToBigInt conversion can have side effects, so the check for neutered-ness must happen afterwards. Bug: chromium:867776 Change-Id: I6e550c77a284da4cf132c21a6c3b1ed8f34eedc9 Reviewed-on: https://chromium-review.googlesource.com/1153553 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#54761}
a24d5ad7 · Jakob Kummerow · Commit Bot · 43098ecb · a24d5ad7 · a24d5ad7
Commit a24d5ad7 authored Jul 27, 2018 by Jakob Kummerow Committed by Commit Bot Jul 27, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 2 deletions

code-stub-assembler.cc src/code-stub-assembler.cc +3 -2

regress-crbug-867776.js test/mjsunit/regress/regress-crbug-867776.js +22 -0

No files found.
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -9243,13 +9243,14 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore(
    TNode<JSTypedArray> object, TNode<FixedTypedArrayBase> elements,
    TNode<IntPtrT> intptr_key, TNode<Object> value, TNode<Context> context,
    Label* opt_if_neutered) {
+  TNode<BigInt> bigint_value = ToBigInt(context, value);
+
  if (opt_if_neutered != nullptr) {
-    // Check if buffer has been neutered.
+    // Check if buffer has been neutered. Must happen after {ToBigInt}!
    Node* buffer = LoadObjectField(object, JSArrayBufferView::kBufferOffset);
    GotoIf(IsDetachedBuffer(buffer), opt_if_neutered);
  }

-  TNode<BigInt> bigint_value = ToBigInt(context, value);
  TNode<RawPtrT> backing_store = LoadFixedTypedArrayBackingStore(elements);
  TNode<IntPtrT> offset = ElementOffsetFromIndex(intptr_key, BIGINT64_ELEMENTS,
                                                 INTPTR_PARAMETERS, 0);

--- a/test/mjsunit/regress/regress-crbug-867776.js
+++ b/test/mjsunit/regress/regress-crbug-867776.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+for (var i = 0; i < 3; i++) {
+  var array = new BigInt64Array(200);
+
+  function evil_callback() {
+    %ArrayBufferNeuter(array.buffer);
+    gc();
+    return 1094795585n;
+  }
+
+  var evil_object = {valueOf: evil_callback};
+  var root;
+  try {
+    root = BigInt64Array.of.call(function() { return array }, evil_object);
+  } catch(e) {}
+  gc();
+}