Check that an index is in the range of 0 to array length in ArrayConcatVisito...

src/runtime.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 3976 matching lines @@
 }
 
 
 /**
  * A simple visitor visits every element of Array's.
  * The backend storage can be a fixed array for fast elements case,
  * or a dictionary for sparse array. Since Dictionary is a subtype
  * of FixedArray, the class can be used by both fast and slow cases.
  * The second parameter of the constructor, fast_elements, specifies
  * whether the storage is a FixedArray or Dictionary.
+ *
+ * An index limit is used to deal with the situation that a result array
+ * length overflows 32-bit non-negative integer.
  */
 class ArrayConcatVisitor {
  public:
-  ArrayConcatVisitor(Handle<FixedArray> storage, bool fast_elements)
-    : storage_(storage), fast_elements_(fast_elements), index_offset_(0) { }
+  ArrayConcatVisitor(Handle<FixedArray> storage,
+                     uint32_t index_limit,
+                     bool fast_elements) :
+      storage_(storage), index_limit_(index_limit),
+      fast_elements_(fast_elements), index_offset_(0) { }
 
   void visit(uint32_t i, Handle<Object> elm) {
     uint32_t index = i + index_offset_;
-
+    if (index >= index_limit_) return;
+ 
     if (fast_elements_) {
       ASSERT(index < static_cast<uint32_t>(storage_->length()));
       storage_->set(index, *elm);
 
     } else {
       Handle<Dictionary> dict = Handle<Dictionary>::cast(storage_);
       Handle<Dictionary> result =
           Factory::DictionaryAtNumberPut(dict, index, elm);
       if (!result.is_identical_to(dict))
         storage_ = result;
     }
   }
 
   void increase_index_offset(uint32_t delta) {
     index_offset_ += delta;
   }
 
  private:
   Handle<FixedArray> storage_;
+  uint32_t index_limit_;
   bool fast_elements_;
   uint32_t index_offset_;
 };
 
 
 /**
  * A helper function that visits elements of a JSObject. Only elements
  * whose index between 0 and range (exclusive) are visited.
  *
  * If the third parameter, visitor, is not NULL, the visitor is called
@@ skipping 84 matching lines @@
 
 /**
  * A helper function of Runtime_ArrayConcat.
  *
  * The first argument is an Array of Arrays and objects. It is the same as
  * the arguments array of Array::concat JS function.
  *
  * If an argument is an Array object, the function visits array elements.
  * If an argument is not an Array object, the function visits the object
  * as if it is an one-element array.
+ *
+ * If the result array index overflows 32-bit integer, the rounded non-negative
+ * number is used as new length. For example, if one array length is 2^32 - 1,
+ * second array length is 1, the concatenated array length is 0.
  */
 static uint32_t IterateArguments(Handle<JSArray> arguments,
                                  ArrayConcatVisitor* visitor) {
   uint32_t visited_elements = 0;
   uint32_t num_of_args = static_cast<uint32_t>(arguments->length()->Number());
 
   for (uint32_t i = 0; i < num_of_args; i++) {
     Handle<Object> obj(arguments->GetElement(i));
     if (obj->IsJSArray()) {
       Handle<JSArray> array = Handle<JSArray>::cast(obj);
@@ skipping 61 matching lines @@
   } else {
     // TODO(126): move 25% pre-allocation logic into Dictionary::Allocate
     uint32_t at_least_space_for = estimate_nof_elements +
                                   (estimate_nof_elements >> 2);
     storage = Handle<FixedArray>::cast(
                   Factory::NewDictionary(at_least_space_for));
   }
 
   Handle<Object> len = Factory::NewNumber(static_cast<double>(result_length));
 
-  ArrayConcatVisitor visitor(storage, fast_case);
+  ArrayConcatVisitor visitor(storage, result_length, fast_case);
 
   IterateArguments(arguments, &visitor);
 
   result->set_length(*len);
   result->set_elements(*storage);
 
   return *result;
 }
 
 
@@ skipping 1533 matching lines @@
 
 void Runtime::PerformGC(Object* result) {
   Failure* failure = Failure::cast(result);
   // Try to do a garbage collection; ignore it if it fails. The C
   // entry stub will throw an out-of-memory exception in that case.
   Heap::CollectGarbage(failure->requested(), failure->allocation_space());
 }
 
 
 } }  // namespace v8::internal