Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(671)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/js/runtime.js

Issue 1420663003: Avoid calling %AddElement with a number out of array index range (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Fix Array.from and friends Created 5 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« src/js/harmony-array.js ('K') | « src/js/harmony-array.js ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/js/runtime.js
diff --git a/src/js/runtime.js b/src/js/runtime.js
index 7e2f12b7d2c3e0d713c5b53fbf647bfaf4b2aa8a..55a1b862148e4eb22b57c821d0ef244c6127a54d 100644
--- a/src/js/runtime.js
+++ b/src/js/runtime.js
@@ -194,7 +194,7 @@ function SameValueZero(x, y) {
function ConcatIterableToArray(target, iterable) {
var index = target.length;
for (var element of iterable) {
- %AddElement(target, index++, element);
+ AddLargeElement(target, index++, element);
}
return target;
}
@@ -206,6 +206,19 @@ function ConcatIterableToArray(target, iterable) {
*/
+// This function should be called rather than %AddElement in contexts where the
+// argument might not be less than 2**32-1. ES2015 ToLength semantics mean that
+// this is a concern at basically all callsites.
+function AddLargeElement(obj, index, value) {
adamk 2015/10/27 22:03:07 Bikeshedding: "LargeElement" sounds to me like the
Dan Ehrenberg 2015/10/28 18:44:43 Done
adamk 2015/10/28 19:52:50 Hmm, "IndexedElement" sounds redundant given the V
+ if (index === index >>> 0) {
adamk 2015/10/27 22:03:07 We have a macro for the RHS of this, TO_UINT32(ind
Dan Ehrenberg 2015/10/28 18:44:43 Done
+ %AddElement(obj, index, value);
+ } else {
+ %AddNamedProperty(obj, GlobalString(index), value, 0);
adamk 2015/10/27 22:03:07 Two things: - Please use TO_STRING() instead of G
Dan Ehrenberg 2015/10/28 18:44:43 Done
+ }
+}
+%SetForceInlineFlag(AddLargeElement);
+
+
// ES6, draft 10-14-14, section 22.1.3.1.1
function IsConcatSpreadable(O) {
if (!IS_SPEC_OBJECT(O)) return false;
@@ -248,6 +261,7 @@ function MinSimple(a, b) {
// Exports
utils.Export(function(to) {
+ to.AddLargeElement = AddLargeElement;
to.MaxSimple = MaxSimple;
to.MinSimple = MinSimple;
to.SameValue = SameValue;
« src/js/harmony-array.js ('K') | « src/js/harmony-array.js ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698