1. 05 Mar, 2019 1 commit
    • Mike Stanton's avatar
      [Builtins] Array.prototype.reduce missing length check · 2222a9d6
      Mike Stanton authored
      In the recent port of reduce() and reduceRight(), a check for a length
      change during the loop (standard for iterating builtins) was omitted.
      
      We did get array bounds check protection, however it didn't expose
      the issue in our tests because the bounds check is against the
      backing store length, not against the length in the referring JSArray.
      
      Also added a test for reduceRight().
      
      R=jgruber@chromium.org
      
      Bug: chromium:937676
      Change-Id: I76e22e0d71965bff84a0822b1df5dc818a00b50e
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1503732Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Commit-Queue: Michael Stanton <mvstanton@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#60033}
      2222a9d6
  2. 05 Mar, 2018 1 commit
  3. 25 Jan, 2018 1 commit
  4. 19 Jan, 2018 1 commit
  5. 15 Jan, 2018 1 commit
  6. 21 Dec, 2017 2 commits
  7. 15 Sep, 2017 1 commit
  8. 21 Mar, 2017 1 commit
  9. 22 Oct, 2014 1 commit
  10. 27 Mar, 2014 1 commit
  11. 14 Nov, 2012 1 commit
  12. 31 May, 2011 1 commit
  13. 09 Jul, 2009 1 commit
  14. 21 Apr, 2009 2 commits