-
Maya Lekova authored
The fast_call_count getter in d8 was not properly initialised as throwing when called as a constructor. As a result, it was possible to pass a new object as its `this` and then attempt to "unwrap" it, resulting in reading OOB in the new object. This CL also strenghtens slow_call_count and reset_counts and adds a regression test. Bug: chromium:1241464 Change-Id: I9b6e9a4e38a974dc111a53b911c73514c30de9df Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110369Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/main@{#76426}
a92cba8c
