src/runtime.cc - Issue 8836: Check that an index is in the range of 0 to array length in ArrayConcatVisito...

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/runtime.cc

Issue 8836: Check that an index is in the range of 0 to array length in ArrayConcatVisito... (Closed) Base URL: http://v8.googlecode.com/svn/branches/bleeding_edge/

Patch Set: Created 12 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/runtime.cc

===================================================================

--- src/runtime.cc (revision 627)

+++ src/runtime.cc (working copy)

@@ -3994,15 +3994,22 @@

* of FixedArray, the class can be used by both fast and slow cases.

* The second parameter of the constructor, fast_elements, specifies

* whether the storage is a FixedArray or Dictionary.

+ *

+ * An index limit is used to deal with the situation that a result array

+ * length overflows 32-bit non-negative integer.

class ArrayConcatVisitor {

public:

- ArrayConcatVisitor(Handle<FixedArray> storage, bool fast_elements)

- : storage_(storage), fast_elements_(fast_elements), index_offset_(0) { }

+ ArrayConcatVisitor(Handle<FixedArray> storage,

+ uint32_t index_limit,

+ bool fast_elements) :

+ storage_(storage), index_limit_(index_limit),

+ fast_elements_(fast_elements), index_offset_(0) { }

void visit(uint32_t i, Handle<Object> elm) {

uint32_t index = i + index_offset_;

+ if (index >= index_limit_) return;

if (fast_elements_) {

ASSERT(index < static_cast<uint32_t>(storage_->length()));

storage_->set(index, *elm);

@@ -4022,6 +4029,7 @@

private:

Handle<FixedArray> storage_;

+ uint32_t index_limit_;

bool fast_elements_;

uint32_t index_offset_;

};

@@ -4126,6 +4134,10 @@

* If an argument is an Array object, the function visits array elements.

* If an argument is not an Array object, the function visits the object

* as if it is an one-element array.

+ *

+ * If the result array index overflows 32-bit integer, the rounded non-negative

+ * number is used as new length. For example, if one array length is 2^32 - 1,

+ * second array length is 1, the concatenated array length is 0.

static uint32_t IterateArguments(Handle<JSArray> arguments,

ArrayConcatVisitor* visitor) {

@@ -4207,7 +4219,7 @@

Handle<Object> len = Factory::NewNumber(static_cast<double>(result_length));

- ArrayConcatVisitor visitor(storage, fast_case);

+ ArrayConcatVisitor visitor(storage, result_length, fast_case);

IterateArguments(arguments, &visitor);

« no previous file with comments | « no previous file | no next file » | no next file with comments »