Commit f3f47a9f authored by Marja Hölttä's avatar Marja Hölttä Committed by V8 LUCI CQ

[super IC] Add tests for a security bug

Bug: chromium:1309467,chromium:1308360,v8:9237
Change-Id: I77b004e263a9bed98a0dfe5936bdad055bde36a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3745365Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81530}
parent 8559a04f
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let badCaseRan = false;
function main(i) {
class B {
m() {
return super.nodeType; // The access site (megamorphic)
}
}
let node = new d8.dom.Div(); // API object
node['a' + i] = 1; // Create a new shape
if (i < 0x100 - 1) {
B.prototype.__proto__ = {};
} else {
B.prototype.__proto__ = node; // Lookup start object == API object
}
let b = new B();
b.x0 = 1;
b.x1 = 2;
b.x2 = 3;
b.x3 = 4;
node.nodeType; // Create a handler for loading from the API object
let caught = false;
try {
b.m();
} catch {
caught = true;
}
if (i < 0x100 - 1) {
assertFalse(caught);
} else {
assertTrue(caught);
badCaseRan = true;
}
}
for (let i = 0; i < 0x100; i++) {
main(i);
}
assertTrue(badCaseRan);
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let caught = false;
function main() {
class B {
m() {
try {
return super.nodeType; // The access site (megamorphic)
} catch (e) {
caught = true;
}
}
}
const node = new d8.dom.Div(); // API obj
B.prototype.__proto__ = node; // Lookup start obj == API obj
const b = new B();
b.x0 = 2;
b.x1 = 10;
b.x2 = 3;
b.x3 = 4;
for (let i = 0; i < 20000; i++) {
caught = false;
b.m();
assertTrue(caught);
}
}
main();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment