-
Samuel Groß authored
When a detached JSDataView is deserialized, it's backing ArrayBuffer backing store is empty (i.e. the EmptyBackingStoreBuffer() pointer). Previously, the JSDataView's data_pointer would then be set to EmptyBackingStoreBuffer() + byte_offset(), which is not a valid backing store pointer as it points outside of the sandbox. Instead, which this CL the data_pointer is now simply set to EmptyBackingStoreBuffer(). Bug: v8:10391 Change-Id: Ic7d144f2f20d5ec99438d2b3bf33735fbf8d5fc6 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717987 Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/main@{#81348}
d22b3c96
