Chromium Code Reviews Chromium Code Reviews
Issue 1420663003:
Avoid calling %AddElement with a number out of array index range (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2006-2008 the V8 project authors. All rights reserved. | 1 // Copyright 2006-2008 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This files contains runtime support implemented in JavaScript. | 5 // This files contains runtime support implemented in JavaScript. |
| 6 | 6 |
| 7 // CAUTION: Some of the functions specified in this file are called | 7 // CAUTION: Some of the functions specified in this file are called |
| 8 // directly from compiled code. These are the functions with names in | 8 // directly from compiled code. These are the functions with names in |
| 9 // ALL CAPS. The compiled code passes the first argument in 'this'. | 9 // ALL CAPS. The compiled code passes the first argument in 'this'. |
| 10 | 10 |
| (...skipping 176 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 187 if (NUMBER_IS_NAN(x) && NUMBER_IS_NAN(y)) return true; | 187 if (NUMBER_IS_NAN(x) && NUMBER_IS_NAN(y)) return true; |
| 188 } | 188 } |
| 189 if (IS_SIMD_VALUE(x)) return %SimdSameValueZero(x, y); | 189 if (IS_SIMD_VALUE(x)) return %SimdSameValueZero(x, y); |
| 190 return x === y; | 190 return x === y; |
| 191 } | 191 } |
| 192 | 192 |
| 193 | 193 |
| 194 function ConcatIterableToArray(target, iterable) { | 194 function ConcatIterableToArray(target, iterable) { |
| 195 var index = target.length; | 195 var index = target.length; |
| 196 for (var element of iterable) { | 196 for (var element of iterable) { |
| 197 %AddElement(target, index++, element); | 197 AddIndexedProperty(target, index++, element); |
| 198 } | 198 } |
| 199 return target; | 199 return target; |
| 200 } | 200 } |
| 201 | 201 |
| 202 | 202 |
| 203 /* --------------------------------- | 203 /* --------------------------------- |
| 204 - - - U t i l i t i e s - - - | 204 - - - U t i l i t i e s - - - |
| 205 --------------------------------- | 205 --------------------------------- |
| 206 */ | 206 */ |
| 207 | 207 |
| 208 | 208 |
| 209 // This function should be called rather than %AddElement in contexts where the | |
| 210 // argument might not be less than 2**32-1. ES2015 ToLength semantics mean that | |
| 211 // this is a concern at basically all callsites. | |
| 212 function AddIndexedProperty(obj, index, value) { | |
| 213 if (index === TO_UINT32(index)) { | |
|
Toon Verwaest
2015/10/29 10:41:01
kMaxUint32 isn't a valid element either. Max lengt
| |
| 214 %AddElement(obj, index, value); | |
| 215 } else { | |
| 216 %AddNamedProperty(obj, TO_STRING(index), value, NONE); | |
| 217 } | |
| 218 } | |
| 219 %SetForceInlineFlag(AddIndexedProperty); | |
| 220 | |
| 221 | |
| 209 // ES6, draft 10-14-14, section 22.1.3.1.1 | 222 // ES6, draft 10-14-14, section 22.1.3.1.1 |
| 210 function IsConcatSpreadable(O) { | 223 function IsConcatSpreadable(O) { |
| 211 if (!IS_SPEC_OBJECT(O)) return false; | 224 if (!IS_SPEC_OBJECT(O)) return false; |
| 212 var spreadable = O[isConcatSpreadableSymbol]; | 225 var spreadable = O[isConcatSpreadableSymbol]; |
| 213 if (IS_UNDEFINED(spreadable)) return IS_ARRAY(O); | 226 if (IS_UNDEFINED(spreadable)) return IS_ARRAY(O); |
| 214 return TO_BOOLEAN(spreadable); | 227 return TO_BOOLEAN(spreadable); |
| 215 } | 228 } |
| 216 | 229 |
| 217 | 230 |
| 218 function ToPositiveInteger(x, rangeErrorIndex) { | 231 function ToPositiveInteger(x, rangeErrorIndex) { |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 241 // possible due to code generation for array literals. When | 254 // possible due to code generation for array literals. When |
| 242 // generating code for a array literal a boilerplate array is created | 255 // generating code for a array literal a boilerplate array is created |
| 243 // that is cloned when running the code. It is essential that the | 256 // that is cloned when running the code. It is essential that the |
| 244 // boilerplate gets the right prototype. | 257 // boilerplate gets the right prototype. |
| 245 %FunctionSetPrototype(GlobalArray, new GlobalArray(0)); | 258 %FunctionSetPrototype(GlobalArray, new GlobalArray(0)); |
| 246 | 259 |
| 247 // ---------------------------------------------------------------------------- | 260 // ---------------------------------------------------------------------------- |
| 248 // Exports | 261 // Exports |
| 249 | 262 |
| 250 utils.Export(function(to) { | 263 utils.Export(function(to) { |
| 264 to.AddIndexedProperty = AddIndexedProperty; | |
| 251 to.MaxSimple = MaxSimple; | 265 to.MaxSimple = MaxSimple; |
| 252 to.MinSimple = MinSimple; | 266 to.MinSimple = MinSimple; |
| 253 to.SameValue = SameValue; | 267 to.SameValue = SameValue; |
| 254 to.SameValueZero = SameValueZero; | 268 to.SameValueZero = SameValueZero; |
| 255 to.ToPositiveInteger = ToPositiveInteger; | 269 to.ToPositiveInteger = ToPositiveInteger; |
| 256 }); | 270 }); |
| 257 | 271 |
| 258 %InstallToContext([ | 272 %InstallToContext([ |
| 259 "apply_prepare_builtin", APPLY_PREPARE, | 273 "apply_prepare_builtin", APPLY_PREPARE, |
| 260 "concat_iterable_to_array_builtin", CONCAT_ITERABLE_TO_ARRAY, | 274 "concat_iterable_to_array_builtin", CONCAT_ITERABLE_TO_ARRAY, |
| 261 "reflect_apply_prepare_builtin", REFLECT_APPLY_PREPARE, | 275 "reflect_apply_prepare_builtin", REFLECT_APPLY_PREPARE, |
| 262 "reflect_construct_prepare_builtin", REFLECT_CONSTRUCT_PREPARE, | 276 "reflect_construct_prepare_builtin", REFLECT_CONSTRUCT_PREPARE, |
| 263 ]); | 277 ]); |
| 264 | 278 |
| 265 %InstallToContext([ | 279 %InstallToContext([ |
| 266 "concat_iterable_to_array", ConcatIterableToArray, | 280 "concat_iterable_to_array", ConcatIterableToArray, |
| 267 ]); | 281 ]); |
| 268 | 282 |
| 269 }) | 283 }) |
| OLD | NEW |
