1. 16 Dec, 2020 1 commit
    • Sathya Gunasekaran's avatar
      [runtime] Fix TypedArrayPrototype protector cell checks · 15c227be
      Sathya Gunasekaran authored
      Previously, we were looking up the prototype of the receiver and
      checking that against %TypedArrayPrototype% before invalidating the
      protector cell.
      
      This is incorrect as it's possible to patch the prototype and then
      change the constructor property, bypassing this check.
      
      This CL adds a new instance type to prototype of all TypedArray
      constructors and checks the receiver against this instance type.
      
      TBR: tebbi@chromium.org
      Bug: v8:11274, v8:11256
      Change-Id: I2ff6280e4cf820b06c5593fe4addd36f7ac656c4
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2594776
      Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
      Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#71799}
      15c227be