| OLD | NEW |
|---|
| 1 // Copyright 2014 the V8 project authors. All rights reserved. | 1 // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/runtime/runtime-utils.h" | 5 #include "src/runtime/runtime-utils.h" |
| 6 | 6 |
| 7 #include "src/arguments.h" | 7 #include "src/arguments.h" |
| 8 #include "src/bootstrapper.h" | 8 #include "src/bootstrapper.h" |
| 9 #include "src/debug/debug.h" | 9 #include "src/debug/debug.h" |
| 10 #include "src/isolate-inl.h" | 10 #include "src/isolate-inl.h" |
| (...skipping 489 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 500 Handle<Object> result; | 500 Handle<Object> result; |
| 501 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( | 501 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| 502 isolate, result, | 502 isolate, result, |
| 503 JSObject::SetOwnPropertyIgnoreAttributes(object, name, value, attrs)); | 503 JSObject::SetOwnPropertyIgnoreAttributes(object, name, value, attrs)); |
| 504 return *result; | 504 return *result; |
| 505 } | 505 } |
| 506 | 506 |
| 507 | 507 |
| 508 // Adds an element to an array. | 508 // Adds an element to an array. |
| 509 // This is used to create an indexed data property into an array. | 509 // This is used to create an indexed data property into an array. |
| 510 // TODO(littledan): Eliminate AddElement and switch to something less hacky. |
| 510 RUNTIME_FUNCTION(Runtime_AddElement) { | 511 RUNTIME_FUNCTION(Runtime_AddElement) { |
| 511 HandleScope scope(isolate); | 512 HandleScope scope(isolate); |
| 512 RUNTIME_ASSERT(args.length() == 3); | 513 RUNTIME_ASSERT(args.length() == 3); |
| 513 | 514 |
| 514 CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0); | 515 CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0); |
| 515 CONVERT_ARG_HANDLE_CHECKED(Object, key, 1); | 516 CONVERT_ARG_HANDLE_CHECKED(Object, key, 1); |
| 516 CONVERT_ARG_HANDLE_CHECKED(Object, value, 2); | 517 CONVERT_ARG_HANDLE_CHECKED(Object, value, 2); |
| 517 | 518 |
| 518 uint32_t index = 0; | 519 uint32_t index = 0; |
| 519 CHECK(key->ToArrayIndex(&index)); | 520 |
| 521 Handle<Object> result; |
| 522 if (key->ToArrayIndex(&index)) { |
| 523 #ifdef DEBUG |
| 524 LookupIterator it(isolate, object, index, |
| 525 LookupIterator::OWN_SKIP_INTERCEPTOR); |
| 526 Maybe<PropertyAttributes> maybe = JSReceiver::GetPropertyAttributes(&it); |
| 527 if (!maybe.IsJust()) return isolate->heap()->exception(); |
| 528 RUNTIME_ASSERT(!it.IsFound()); |
| 529 |
| 530 if (object->IsJSArray()) { |
| 531 Handle<JSArray> array = Handle<JSArray>::cast(object); |
| 532 RUNTIME_ASSERT(!JSArray::WouldChangeReadOnlyLength(array, index)); |
| 533 } |
| 534 #endif |
| 535 |
| 536 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| 537 isolate, result, |
| 538 JSObject::SetOwnElementIgnoreAttributes(object, index, value, NONE)); |
| 539 } else { |
| 540 MaybeHandle<Name> maybe_name = Object::ToName(isolate, key); |
| 541 Handle<Name> name = maybe_name.ToHandleChecked(); |
| 520 | 542 |
| 521 #ifdef DEBUG | 543 #ifdef DEBUG |
| 522 LookupIterator it(isolate, object, index, | 544 LookupIterator it(object, name, LookupIterator::OWN_SKIP_INTERCEPTOR); |
| 523 LookupIterator::OWN_SKIP_INTERCEPTOR); | 545 Maybe<PropertyAttributes> maybe = JSReceiver::GetPropertyAttributes(&it); |
| 524 Maybe<PropertyAttributes> maybe = JSReceiver::GetPropertyAttributes(&it); | 546 if (!maybe.IsJust()) return isolate->heap()->exception(); |
| 525 if (!maybe.IsJust()) return isolate->heap()->exception(); | 547 RUNTIME_ASSERT(!it.IsFound()); |
| 526 RUNTIME_ASSERT(!it.IsFound()); | |
| 527 | |
| 528 if (object->IsJSArray()) { | |
| 529 Handle<JSArray> array = Handle<JSArray>::cast(object); | |
| 530 RUNTIME_ASSERT(!JSArray::WouldChangeReadOnlyLength(array, index)); | |
| 531 } | |
| 532 #endif | 548 #endif |
| 533 | 549 |
| 534 Handle<Object> result; | 550 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| 535 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( | 551 isolate, result, |
| 536 isolate, result, | 552 JSObject::SetOwnPropertyIgnoreAttributes(object, name, value, NONE)); |
| 537 JSObject::SetOwnElementIgnoreAttributes(object, index, value, NONE)); | 553 } |
| 538 return *result; | 554 return *result; |
| 539 } | 555 } |
| 540 | 556 |
| 541 | 557 |
| 542 RUNTIME_FUNCTION(Runtime_AppendElement) { | 558 RUNTIME_FUNCTION(Runtime_AppendElement) { |
| 543 HandleScope scope(isolate); | 559 HandleScope scope(isolate); |
| 544 RUNTIME_ASSERT(args.length() == 2); | 560 RUNTIME_ASSERT(args.length() == 2); |
| 545 | 561 |
| 546 CONVERT_ARG_HANDLE_CHECKED(JSArray, array, 0); | 562 CONVERT_ARG_HANDLE_CHECKED(JSArray, array, 0); |
| 547 CONVERT_ARG_HANDLE_CHECKED(Object, value, 1); | 563 CONVERT_ARG_HANDLE_CHECKED(Object, value, 1); |
| (...skipping 1026 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1574 | 1590 |
| 1575 RUNTIME_FUNCTION(Runtime_ObjectDefineProperties) { | 1591 RUNTIME_FUNCTION(Runtime_ObjectDefineProperties) { |
| 1576 HandleScope scope(isolate); | 1592 HandleScope scope(isolate); |
| 1577 DCHECK(args.length() == 2); | 1593 DCHECK(args.length() == 2); |
| 1578 CONVERT_ARG_HANDLE_CHECKED(Object, o, 0); | 1594 CONVERT_ARG_HANDLE_CHECKED(Object, o, 0); |
| 1579 CONVERT_ARG_HANDLE_CHECKED(Object, properties, 1); | 1595 CONVERT_ARG_HANDLE_CHECKED(Object, properties, 1); |
| 1580 return JSReceiver::DefineProperties(isolate, o, properties); | 1596 return JSReceiver::DefineProperties(isolate, o, properties); |
| 1581 } | 1597 } |
| 1582 } // namespace internal | 1598 } // namespace internal |
| 1583 } // namespace v8 | 1599 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1425743002:
Modify %AddElement to accept large indices out of array bounds (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master