Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/objects.cc

Issue 7565009: Fix out-of-bounds access in fetching propery names (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: additional fixes Created 9 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « src/objects.h ('k') | src/runtime.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2011 the V8 project authors. All rights reserved. 1 // Copyright 2011 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 9519 matching lines...) Expand 10 before | Expand all | Expand 10 after
9530 // mirrors. 9530 // mirrors.
9531 void JSObject::GetLocalPropertyNames(FixedArray* storage, int index) { 9531 void JSObject::GetLocalPropertyNames(FixedArray* storage, int index) {
9532 ASSERT(storage->length() >= (NumberOfLocalProperties(NONE) - index)); 9532 ASSERT(storage->length() >= (NumberOfLocalProperties(NONE) - index));
9533 if (HasFastProperties()) { 9533 if (HasFastProperties()) {
9534 DescriptorArray* descs = map()->instance_descriptors(); 9534 DescriptorArray* descs = map()->instance_descriptors();
9535 for (int i = 0; i < descs->number_of_descriptors(); i++) { 9535 for (int i = 0; i < descs->number_of_descriptors(); i++) {
9536 if (descs->IsProperty(i)) storage->set(index++, descs->GetKey(i)); 9536 if (descs->IsProperty(i)) storage->set(index++, descs->GetKey(i));
9537 } 9537 }
9538 ASSERT(storage->length() >= index); 9538 ASSERT(storage->length() >= index);
9539 } else { 9539 } else {
9540 property_dictionary()->CopyKeysTo(storage, StringDictionary::UNSORTED); 9540 property_dictionary()->CopyKeysTo(storage,
9541 index,
9542 StringDictionary::UNSORTED);
9541 } 9543 }
9542 } 9544 }
9543 9545
9544 9546
9545 int JSObject::NumberOfLocalElements(PropertyAttributes filter) { 9547 int JSObject::NumberOfLocalElements(PropertyAttributes filter) {
9546 return GetLocalElementKeys(NULL, filter); 9548 return GetLocalElementKeys(NULL, filter);
9547 } 9549 }
9548 9550
9549 9551
9550 int JSObject::NumberOfEnumElements() { 9552 int JSObject::NumberOfEnumElements() {
(...skipping 728 matching lines...) Expand 10 before | Expand all | Expand 10 after
10279 int, JSObject::DeleteMode); 10281 int, JSObject::DeleteMode);
10280 10282
10281 template MaybeObject* Dictionary<StringDictionaryShape, String*>::Shrink( 10283 template MaybeObject* Dictionary<StringDictionaryShape, String*>::Shrink(
10282 String*); 10284 String*);
10283 10285
10284 template MaybeObject* Dictionary<NumberDictionaryShape, uint32_t>::Shrink( 10286 template MaybeObject* Dictionary<NumberDictionaryShape, uint32_t>::Shrink(
10285 uint32_t); 10287 uint32_t);
10286 10288
10287 template void Dictionary<StringDictionaryShape, String*>::CopyKeysTo( 10289 template void Dictionary<StringDictionaryShape, String*>::CopyKeysTo(
10288 FixedArray*, 10290 FixedArray*,
10291 int,
10289 Dictionary<StringDictionaryShape, String*>::SortMode); 10292 Dictionary<StringDictionaryShape, String*>::SortMode);
10290 10293
10291 template int 10294 template int
10292 Dictionary<StringDictionaryShape, String*>::NumberOfElementsFilterAttributes( 10295 Dictionary<StringDictionaryShape, String*>::NumberOfElementsFilterAttributes(
10293 PropertyAttributes); 10296 PropertyAttributes);
10294 10297
10295 template MaybeObject* Dictionary<StringDictionaryShape, String*>::Add( 10298 template MaybeObject* Dictionary<StringDictionaryShape, String*>::Add(
10296 String*, Object*, PropertyDetails); 10299 String*, Object*, PropertyDetails);
10297 10300
10298 template MaybeObject* 10301 template MaybeObject*
(...skipping 1109 matching lines...) Expand 10 before | Expand all | Expand 10 after
11408 } 11411 }
11409 } 11412 }
11410 storage->SortPairs(sort_array, sort_array->length()); 11413 storage->SortPairs(sort_array, sort_array->length());
11411 ASSERT(storage->length() >= index); 11414 ASSERT(storage->length() >= index);
11412 } 11415 }
11413 11416
11414 11417
11415 template<typename Shape, typename Key> 11418 template<typename Shape, typename Key>
11416 void Dictionary<Shape, Key>::CopyKeysTo( 11419 void Dictionary<Shape, Key>::CopyKeysTo(
11417 FixedArray* storage, 11420 FixedArray* storage,
11421 int index,
11418 typename Dictionary<Shape, Key>::SortMode sort_mode) { 11422 typename Dictionary<Shape, Key>::SortMode sort_mode) {
11419 ASSERT(storage->length() >= NumberOfElementsFilterAttributes( 11423 ASSERT(storage->length() >= NumberOfElementsFilterAttributes(
11420 static_cast<PropertyAttributes>(NONE))); 11424 static_cast<PropertyAttributes>(NONE)));
11421 int capacity = HashTable<Shape, Key>::Capacity(); 11425 int capacity = HashTable<Shape, Key>::Capacity();
11422 int index = 0;
11423 for (int i = 0; i < capacity; i++) { 11426 for (int i = 0; i < capacity; i++) {
11424 Object* k = HashTable<Shape, Key>::KeyAt(i); 11427 Object* k = HashTable<Shape, Key>::KeyAt(i);
11425 if (HashTable<Shape, Key>::IsKey(k)) { 11428 if (HashTable<Shape, Key>::IsKey(k)) {
11426 PropertyDetails details = DetailsAt(i); 11429 PropertyDetails details = DetailsAt(i);
11427 if (details.IsDeleted()) continue; 11430 if (details.IsDeleted()) continue;
11428 storage->set(index++, k); 11431 storage->set(index++, k);
11429 } 11432 }
11430 } 11433 }
11431 if (sort_mode == Dictionary<Shape, Key>::SORTED) { 11434 if (sort_mode == Dictionary<Shape, Key>::SORTED) {
11432 storage->SortPairs(storage, index); 11435 storage->SortPairs(storage, index);
(...skipping 461 matching lines...) Expand 10 before | Expand all | Expand 10 after
11894 if (break_point_objects()->IsUndefined()) return 0; 11897 if (break_point_objects()->IsUndefined()) return 0;
11895 // Single break point. 11898 // Single break point.
11896 if (!break_point_objects()->IsFixedArray()) return 1; 11899 if (!break_point_objects()->IsFixedArray()) return 1;
11897 // Multiple break points. 11900 // Multiple break points.
11898 return FixedArray::cast(break_point_objects())->length(); 11901 return FixedArray::cast(break_point_objects())->length();
11899 } 11902 }
11900 #endif 11903 #endif
11901 11904
11902 11905
11903 } } // namespace v8::internal 11906 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « src/objects.h ('k') | src/runtime.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698