[csa] Fix is-neutered check in EmitBigTypedArrayElementStore

jakobkummerow · Commit Bot · commit a24d5ad7879f · 2018-07-27T21:40:03.000Z
The ToBigInt conversion can have side effects, so the check for neutered-ness must happen afterwards. Bug: chromium:867776 Change-Id: I6e550c77a284da4cf132c21a6c3b1ed8f34eedc9 Reviewed-on: https://chromium-review.googlesource.com/1153553 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#54761}
diff --git a/src/code-stub-assembler.cc b/src/code-stub-assembler.cc
@@ -9243,13 +9243,14 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore(
     TNode<JSTypedArray> object, TNode<FixedTypedArrayBase> elements,
     TNode<IntPtrT> intptr_key, TNode<Object> value, TNode<Context> context,
     Label* opt_if_neutered) {
+  TNode<BigInt> bigint_value = ToBigInt(context, value);
+
   if (opt_if_neutered != nullptr) {
-    // Check if buffer has been neutered.
+    // Check if buffer has been neutered. Must happen after {ToBigInt}!
     Node* buffer = LoadObjectField(object, JSArrayBufferView::kBufferOffset);
     GotoIf(IsDetachedBuffer(buffer), opt_if_neutered);
   }
 
-  TNode<BigInt> bigint_value = ToBigInt(context, value);
   TNode<RawPtrT> backing_store = LoadFixedTypedArrayBackingStore(elements);
   TNode<IntPtrT> offset = ElementOffsetFromIndex(intptr_key, BIGINT64_ELEMENTS,
                                                  INTPTR_PARAMETERS, 0);
diff --git a/test/mjsunit/regress/regress-crbug-867776.js b/test/mjsunit/regress/regress-crbug-867776.js
@@ -0,0 +1,22 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+for (var i = 0; i < 3; i++) {
+  var array = new BigInt64Array(200);
+
+  function evil_callback() {
+    %ArrayBufferNeuter(array.buffer);
+    gc();
+    return 1094795585n;
+  }
+
+  var evil_object = {valueOf: evil_callback};
+  var root;
+  try {
+    root = BigInt64Array.of.call(function() { return array }, evil_object);
+  } catch(e) {}
+  gc();
+}
