Closed Bug 1590731 Opened 6 years ago Closed 6 years ago

TypedArray indices not properly handled in megamorphic stubs for [[Get]] and [[Has]]

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla72

Tracking Flags:

Tracking

Status

firefox72

---

fixed

People

(Reporter: anba, Assigned: anba)

References

Details

Attachments

(1 file)

Bug 1590731: Don't read past TypedArray indices in megamorphic stubs. r=jandem! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review

André Bargull [:anba]

Assignee

Description

•

6 years ago

GetNativeDataPropertyPure and HasNativeDataPropertyPure shouldn't read past possible TypedArray indices.

André Bargull [:anba]

Assignee

Comment 1

•

6 years ago

Attached file Bug 1590731: Don't read past TypedArray indices in megamorphic stubs. r=jandem! — Details

TypedArrays intercept any TypedArray indices, so we shouldn't read past these
indices in the megamorphic stubs.

Steven DeTar [:sdetar]

Updated

•

6 years ago

Priority: -- → P1

Pulsebot

Comment 2

•

6 years ago

Pushed by rmaries@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/992b39c41212 Don't read past TypedArray indices in megamorphic stubs. r=jandem

Cosmin Sabou [:CosminS]

Comment 3

•

6 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/992b39c41212

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

status-firefox72: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla72

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TypedArray indices not properly handled in megamorphic stubs for [[Get]] and [[Has]]

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Tracking

()

People

(Reporter: anba, Assigned: anba)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Attachment

General

Description

File Name

Content Type