src/builtins · 2222a9d67e44d1aa8249fc9fa92b2c5b9adf0775 · Linshizhi / V8

[Builtins] Array.prototype.reduce missing length check · 2222a9d6

Mike Stanton authored Mar 05, 2019

In the recent port of reduce() and reduceRight(), a check for a length
change during the loop (standard for iterating builtins) was omitted.

We did get array bounds check protection, however it didn't expose
the issue in our tests because the bounds check is against the
backing store length, not against the length in the referring JSArray.

Also added a test for reduceRight().

R=jgruber@chromium.org

Bug: chromium:937676
Change-Id: I76e22e0d71965bff84a0822b1df5dc818a00b50e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1503732Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60033}

2222a9d6

Name	Last commit	Last update
..
arm		Loading commit data...
arm64		Loading commit data...
ia32		Loading commit data...
mips		Loading commit data...
mips64		Loading commit data...
ppc		Loading commit data...
s390		Loading commit data...
x64		Loading commit data...
arguments.tq		Loading commit data...
array-copywithin.tq		Loading commit data...
array-every.tq		Loading commit data...
array-filter.tq		Loading commit data...
array-find.tq		Loading commit data...
array-findindex.tq		Loading commit data...
array-foreach.tq		Loading commit data...
array-join.tq		Loading commit data...
array-lastindexof.tq		Loading commit data...
array-map.tq		Loading commit data...
array-of.tq		Loading commit data...
array-reduce-right.tq		Loading commit data...
array-reduce.tq		Loading commit data...
array-reverse.tq		Loading commit data...
array-slice.tq		Loading commit data...
array-some.tq		Loading commit data...
array-splice.tq		Loading commit data...
array-unshift.tq		Loading commit data...
array.tq		Loading commit data...
base.tq		Loading commit data...
builtins-api.cc		Loading commit data...
builtins-arguments-gen.cc		Loading commit data...
builtins-arguments-gen.h		Loading commit data...
builtins-array-gen.cc		Loading commit data...
builtins-array-gen.h		Loading commit data...
builtins-array.cc		Loading commit data...
builtins-arraybuffer.cc		Loading commit data...
builtins-async-function-gen.cc		Loading commit data...
builtins-async-gen.cc		Loading commit data...
builtins-async-gen.h		Loading commit data...
builtins-async-generator-gen.cc		Loading commit data...
builtins-async-iterator-gen.cc		Loading commit data...
builtins-bigint-gen.cc		Loading commit data...
builtins-bigint.cc		Loading commit data...
builtins-boolean-gen.cc		Loading commit data...
builtins-boolean.cc		Loading commit data...
builtins-call-gen.cc		Loading commit data...
builtins-call-gen.h		Loading commit data...
builtins-call.cc		Loading commit data...
builtins-callsite.cc		Loading commit data...
builtins-collections-gen.cc		Loading commit data...
builtins-collections-gen.h		Loading commit data...
builtins-collections.cc		Loading commit data...
builtins-console-gen.cc		Loading commit data...
builtins-console.cc		Loading commit data...
builtins-constructor-gen.cc		Loading commit data...
builtins-constructor-gen.h		Loading commit data...
builtins-constructor.h		Loading commit data...
builtins-conversion-gen.cc		Loading commit data...
builtins-data-view-gen.h		Loading commit data...
builtins-dataview.cc		Loading commit data...
builtins-date-gen.cc		Loading commit data...
builtins-date.cc		Loading commit data...
builtins-debug-gen.cc		Loading commit data...
builtins-definitions.h		Loading commit data...
builtins-descriptors.h		Loading commit data...
builtins-error.cc		Loading commit data...
builtins-extras-utils.cc		Loading commit data...
builtins-function-gen.cc		Loading commit data...
builtins-function.cc		Loading commit data...
builtins-generator-gen.cc		Loading commit data...
builtins-global-gen.cc		Loading commit data...
builtins-global.cc		Loading commit data...
builtins-handler-gen.cc		Loading commit data...
builtins-ic-gen.cc		Loading commit data...
builtins-internal-gen.cc		Loading commit data...
builtins-internal.cc		Loading commit data...
builtins-interpreter-gen.cc		Loading commit data...
builtins-intl-gen.cc		Loading commit data...
builtins-intl.cc		Loading commit data...
builtins-iterator-gen.cc		Loading commit data...
builtins-iterator-gen.h		Loading commit data...
builtins-json.cc		Loading commit data...
builtins-lazy-gen.cc		Loading commit data...
builtins-lazy-gen.h		Loading commit data...
builtins-math-gen.cc		Loading commit data...
builtins-math-gen.h		Loading commit data...
builtins-math.cc		Loading commit data...
builtins-microtask-queue-gen.cc		Loading commit data...
builtins-number-gen.cc		Loading commit data...
builtins-number.cc		Loading commit data...
builtins-object-gen.cc		Loading commit data...
builtins-object-gen.h		Loading commit data...
builtins-object.cc		Loading commit data...
builtins-promise-gen.cc		Loading commit data...
builtins-promise-gen.h		Loading commit data...
builtins-promise.cc		Loading commit data...
builtins-promise.h		Loading commit data...
builtins-proxy-gen.cc		Loading commit data...
builtins-proxy-gen.h		Loading commit data...
builtins-reflect-gen.cc		Loading commit data...
builtins-reflect.cc		Loading commit data...
builtins-regexp-gen.cc		Loading commit data...
builtins-regexp-gen.h		Loading commit data...
builtins-regexp.cc		Loading commit data...
builtins-sharedarraybuffer-gen.cc		Loading commit data...
builtins-sharedarraybuffer.cc		Loading commit data...
builtins-string-gen.cc		Loading commit data...
builtins-string-gen.h		Loading commit data...
builtins-string.cc		Loading commit data...
builtins-symbol-gen.cc		Loading commit data...
builtins-symbol.cc		Loading commit data...
builtins-trace.cc		Loading commit data...
builtins-typed-array-gen.cc		Loading commit data...
builtins-typed-array-gen.h		Loading commit data...
builtins-typed-array.cc		Loading commit data...
builtins-utils-gen.h		Loading commit data...
builtins-utils-inl.h		Loading commit data...
builtins-utils.h		Loading commit data...
builtins-wasm-gen.cc		Loading commit data...
builtins-weak-refs.cc		Loading commit data...
builtins.cc		Loading commit data...
builtins.h		Loading commit data...
collections.tq		Loading commit data...
constants-table-builder.cc		Loading commit data...
constants-table-builder.h		Loading commit data...
data-view.tq		Loading commit data...
extras-utils.tq		Loading commit data...
frames.tq		Loading commit data...
generate-bytecodes-builtins-list.cc		Loading commit data...
growable-fixed-array-gen.cc		Loading commit data...
growable-fixed-array-gen.h		Loading commit data...
iterator.tq		Loading commit data...
object-fromentries.tq		Loading commit data...
setup-builtins-internal.cc		Loading commit data...
string-endswith.tq		Loading commit data...
string-startswith.tq		Loading commit data...
typed-array-createtypedarray.tq		Loading commit data...
typed-array-foreach.tq		Loading commit data...
typed-array-reduce.tq		Loading commit data...
typed-array-reduceright.tq		Loading commit data...
typed-array-slice.tq		Loading commit data...
typed-array-subarray.tq		Loading commit data...
typed-array.tq		Loading commit data...