Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/runtime/runtime-array.cc

Issue 1218503002: Add bounds-checking in runtime implementations of %FixedArray{Get,Set} (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-504786.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 the V8 project authors. All rights reserved. 1 // Copyright 2014 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/v8.h" 5 #include "src/v8.h"
6 6
7 #include "src/arguments.h" 7 #include "src/arguments.h"
8 #include "src/elements.h" 8 #include "src/elements.h"
9 #include "src/messages.h" 9 #include "src/messages.h"
10 #include "src/runtime/runtime-utils.h" 10 #include "src/runtime/runtime-utils.h"
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
51 InstallBuiltin(isolate, holder, "splice", Builtins::kArraySplice); 51 InstallBuiltin(isolate, holder, "splice", Builtins::kArraySplice);
52 InstallBuiltin(isolate, holder, "concat", Builtins::kArrayConcat); 52 InstallBuiltin(isolate, holder, "concat", Builtins::kArrayConcat);
53 53
54 return *holder; 54 return *holder;
55 } 55 }
56 56
57 57
58 RUNTIME_FUNCTION(Runtime_FixedArrayGet) { 58 RUNTIME_FUNCTION(Runtime_FixedArrayGet) {
59 SealHandleScope shs(isolate); 59 SealHandleScope shs(isolate);
60 DCHECK(args.length() == 2); 60 DCHECK(args.length() == 2);
61 CONVERT_ARG_CHECKED(FixedArray, object, 0); 61 CONVERT_ARG_CHECKED(FixedArray, array, 0);
62 CONVERT_SMI_ARG_CHECKED(index, 1); 62 CONVERT_SMI_ARG_CHECKED(index, 1);
63 return object->get(index); 63 RUNTIME_ASSERT(index < array->length());
64 return array->get(index);
64 } 65 }
65 66
66 67
67 RUNTIME_FUNCTION(Runtime_FixedArraySet) { 68 RUNTIME_FUNCTION(Runtime_FixedArraySet) {
68 SealHandleScope shs(isolate); 69 SealHandleScope shs(isolate);
69 DCHECK(args.length() == 3); 70 DCHECK(args.length() == 3);
70 CONVERT_ARG_CHECKED(FixedArray, object, 0); 71 CONVERT_ARG_CHECKED(FixedArray, array, 0);
71 CONVERT_SMI_ARG_CHECKED(index, 1); 72 CONVERT_SMI_ARG_CHECKED(index, 1);
72 CONVERT_ARG_CHECKED(Object, value, 2); 73 CONVERT_ARG_CHECKED(Object, value, 2);
73 object->set(index, value); 74 RUNTIME_ASSERT(index < array->length());
75 array->set(index, value);
74 return isolate->heap()->undefined_value(); 76 return isolate->heap()->undefined_value();
75 } 77 }
76 78
77 79
78 RUNTIME_FUNCTION(Runtime_TransitionElementsKind) { 80 RUNTIME_FUNCTION(Runtime_TransitionElementsKind) {
79 HandleScope scope(isolate); 81 HandleScope scope(isolate);
80 RUNTIME_ASSERT(args.length() == 2); 82 RUNTIME_ASSERT(args.length() == 2);
81 CONVERT_ARG_HANDLE_CHECKED(JSArray, array, 0); 83 CONVERT_ARG_HANDLE_CHECKED(JSArray, array, 0);
82 CONVERT_ARG_HANDLE_CHECKED(Map, map, 1); 84 CONVERT_ARG_HANDLE_CHECKED(Map, map, 1);
83 JSObject::TransitionElementsKind(array, map->elements_kind()); 85 JSObject::TransitionElementsKind(array, map->elements_kind());
(...skipping 1233 matching lines...) Expand 10 before | Expand all | Expand 10 after
1317 1319
1318 RUNTIME_FUNCTION(Runtime_FastOneByteArrayJoin) { 1320 RUNTIME_FUNCTION(Runtime_FastOneByteArrayJoin) {
1319 SealHandleScope shs(isolate); 1321 SealHandleScope shs(isolate);
1320 DCHECK(args.length() == 2); 1322 DCHECK(args.length() == 2);
1321 // Returning undefined means that this fast path fails and one has to resort 1323 // Returning undefined means that this fast path fails and one has to resort
1322 // to a slow path. 1324 // to a slow path.
1323 return isolate->heap()->undefined_value(); 1325 return isolate->heap()->undefined_value();
1324 } 1326 }
1325 } // namespace internal 1327 } // namespace internal
1326 } // namespace v8 1328 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-504786.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698