[builtins] Fix OOB read/write using Array.from

Always use the runtime to set the length on an array if it doesn't match
the expected length after populating it using Array.from.

Bug: chromium:821137
Change-Id: I5a730db58de61ba789040e6dfc815d6067fbae64
Reviewed-on: https://chromium-review.googlesource.com/962222
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51919}
2 files changed
tree: 0b728ed5f0f905f1fc098d6c1d8de5d04a3ea80a
  1. .clang-format
  2. .editorconfig
  3. .git-blame-ignore-revs
  4. .gitignore
  5. .gn
  6. .vpython
  7. .ycm_extra_conf.py
  8. AUTHORS
  9. BUILD.gn
  10. CODE_OF_CONDUCT.md
  11. ChangeLog
  12. DEPS
  13. LICENSE
  14. LICENSE.fdlibm
  15. LICENSE.strongtalk
  16. LICENSE.v8
  17. LICENSE.valgrind
  18. OWNERS
  19. PRESUBMIT.py
  20. README.md
  21. WATCHLISTS
  22. benchmarks/
  23. build_overrides/
  24. codereview.settings
  25. docs/
  26. gni/
  27. include/
  28. infra/
  29. samples/
  30. snapshot_toolchain.gni
  31. src/
  32. test/
  33. testing/
  34. third_party/
  35. tools/
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned on the V8 wiki.