[turbofan] Harden ArrayPrototypePop and ArrayPrototypeShift
An exploitation technique that abuses `pop` and `shift` to create a JS array with a negative length was publicly disclosed some time ago. Add extra checks to break the technique. Bug: chromium:1198696 Change-Id: Ie008e9ae60bbdc3b25ca3a986d3cdc5e3cc00431 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2823707Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Sergei Glazunov <glazunov@google.com> Cr-Commit-Position: refs/heads/master@{#73973}
Showing
Please
register
or
sign in
to comment