-
Benedikt Meurer authored
The fast-path in the `ArrayPrototypeLastIndexOf` torque implementation didn't check that the `fromIndex` is within the bounds of the JSArray _AFTER_ the call to ToInteger, which can have arbitrary side-effects, i.e. it can change the length of the array. R=yangguo@chromium.org Bug: chromium:898785 Change-Id: I7ef84143ec8c33148f6e9d451bd52769d5074fb4 Reviewed-on: https://chromium-review.googlesource.com/c/1314329Reviewed-by:
Yang Guo <yangguo@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#57204}
b8a91131
