Flatten the Arrays returned and consumed by the v8::Map API

src/api.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/api.h"
 
 #include <string.h>  // For memcpy, strlen.
 #ifdef V8_USE_ADDRESS_SANITIZER
 #include <sanitizer/asan_interface.h>
 #endif  // V8_USE_ADDRESS_SANITIZER
@@ skipping 6254 matching lines @@
 }
 
 
 Local<Array> Map::AsArray() const {
   i::Handle<i::JSMap> obj = Utils::OpenHandle(this);
   i::Isolate* isolate = obj->GetIsolate();
   i::Factory* factory = isolate->factory();
   LOG_API(isolate, "Map::AsArray");
   ENTER_V8(isolate);
   i::Handle<i::OrderedHashMap> table(i::OrderedHashMap::cast(obj->table()));
-  int length = table->NumberOfElements();
+  int size = table->NumberOfElements();
+  int length = size * 2;

[jochen (gone - plz use gerrit), 2015/06/03 10:44:51]

can this overflow?

[adamk, 2015/06/03 15:35:30]

NumberOfElements is stored in a Smi and is guaranteed to be positive, so I don't
think so.

[Jakob Kummerow, 2015/06/05 15:05:47]

Uhm... I don't follow this reasoning. On 64-bit platforms, Smis and ints both
have 32 bits including the sign, so a value close to the maximum can absolutely
overflow when you *2 it. Please use CheckedNumerics (from safe_math.h) for
anything that comes even remotely close to the overflow threshold, and is
stability/security sensitive like allocations and indexed accesses are.

[adamk, 2015/06/05 17:42:20]

Sorry, my reason was indeed bogus (I must have been thinking of 31-bit Smis),
but this is safe because OrderedHashTable::kMaxCapacity <
FixedArray::kMaxLength, which itself is already bounded well below int overflow
range.

   i::Handle<i::FixedArray> result = factory->NewFixedArray(length);
-  for (int i = 0; i < length; ++i) {
+  for (int i = 0; i < size; ++i) {
     if (table->KeyAt(i)->IsTheHole()) continue;
-    i::HandleScope handle_scope(isolate);
-    i::Handle<i::FixedArray> entry = factory->NewFixedArray(2);
-    entry->set(0, table->KeyAt(i));
-    entry->set(1, table->ValueAt(i));
-    i::Handle<i::JSArray> entry_array =
-        factory->NewJSArrayWithElements(entry, i::FAST_ELEMENTS, 2);
-    result->set(i, *entry_array);
+    result->set(i * 2, table->KeyAt(i));
+    result->set(i * 2 + 1, table->ValueAt(i));
   }
   i::Handle<i::JSArray> result_array =
       factory->NewJSArrayWithElements(result, i::FAST_ELEMENTS, length);
   return Utils::ToLocal(result_array);
 }
 
 
 MaybeLocal<Map> Map::FromArray(Local<Context> context, Local<Array> array) {
   PREPARE_FOR_EXECUTION(context, "Map::FromArray", Map);
+  if (array->Length() % 2 != 0) {
+    return MaybeLocal<Map>();
+  }
   i::Handle<i::Object> result;
   i::Handle<i::Object> argv[] = {Utils::OpenHandle(*array)};
   has_pending_exception =
       !i::Execution::Call(isolate, isolate->map_from_array(),
                           isolate->factory()->undefined_value(),
                           arraysize(argv), argv, false).ToHandle(&result);
   RETURN_ON_FAILED_EXECUTION(Map);
   RETURN_ESCAPED(Local<Map>::Cast(Utils::ToLocal(result)));
 }
 
@@ skipping 2057 matching lines @@
   Address callback_address =
       reinterpret_cast<Address>(reinterpret_cast<intptr_t>(callback));
   VMState<EXTERNAL> state(isolate);
   ExternalCallbackScope call_scope(isolate, callback_address);
   callback(info);
 }
 
 
 }  // namespace internal
 }  // namespace v8