Reviewers: Jakob,
Description:
Version 4.5.103.17 (cherry-pick)
Merged ed3e5d1f3a57ad1756b4276235e1a72033f2f16f
Check whether a typed array was neutered before writing to it
BUG=chromium:516251
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/1272173002/
Base URL: https://chromium.googlesource.com/v8/[email protected]
Affected files (+7, -1 lines):
M include/v8-version.h
M src/objects.cc
Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index
0a64e76e25a193027a1123be65f81932b3a7be4d..7de6959c06bd9eab44a60afe7ceff0f102b14b1e
100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 4
#define V8_MINOR_VERSION 5
#define V8_BUILD_NUMBER 103
-#define V8_PATCH_LEVEL 16
+#define V8_PATCH_LEVEL 17
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
d27247175cd49ccb75909488c436dec7233808f3..f919d422c9c3e3cffadf0ac65f2d5573acf96623
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3298,6 +3298,12 @@ MaybeHandle<Object>
Object::SetDataProperty(LookupIterator* it,
// have been invalidated since typed array elements cannot be
reconfigured
// in any way.
it->ReloadHolderMap();
+
+ // We have to recheck the length. However, it can only change if the
+ // underlying buffer was neutered, so just check that.
+ if (Handle<JSArrayBufferView>::cast(receiver)->WasNeutered()) {
+ return value;
+ }
}
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
