Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(177)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/js/array.js

Issue 1428483002: Check that array length stays a safe integer in Array.prototype.push (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Use 2**30 Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | src/messages.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 (function(global, utils, extrasUtils) { 5 (function(global, utils, extrasUtils) {
6 6
7 "use strict"; 7 "use strict";
8 8
9 %CheckIsBootstrapping(); 9 %CheckIsBootstrapping();
10 10
(...skipping 499 matching lines...) Expand 10 before | Expand all | Expand 10 after
510 function ArrayPush() { 510 function ArrayPush() {
511 CHECK_OBJECT_COERCIBLE(this, "Array.prototype.push"); 511 CHECK_OBJECT_COERCIBLE(this, "Array.prototype.push");
512 512
513 if (%IsObserved(this)) 513 if (%IsObserved(this))
514 return ObservedArrayPush.apply(this, arguments); 514 return ObservedArrayPush.apply(this, arguments);
515 515
516 var array = TO_OBJECT(this); 516 var array = TO_OBJECT(this);
517 var n = TO_LENGTH_OR_UINT32(array.length); 517 var n = TO_LENGTH_OR_UINT32(array.length);
518 var m = %_ArgumentsLength(); 518 var m = %_ArgumentsLength();
519 519
520 // It appears that there is no enforced, absolute limit on the number of
521 // arguments, but it would surely blow the stack to use 2**30 or more.
522 // To avoid integer overflow, do the comparison to the max safe integer
523 // after subtracting 2**30 from both sides. (2**31 would seem like a
524 // natural value, but it is negative in JS, and 2**32 is 1.)
525 if (m > (1 << 30) || (n - (1 << 30)) + m > kMaxSafeInteger - (1 << 30)) {
526 throw MakeTypeError(kPushPastSafeLength, m, n);
527 }
528
520 for (var i = 0; i < m; i++) { 529 for (var i = 0; i < m; i++) {
521 array[i+n] = %_Arguments(i); 530 array[i+n] = %_Arguments(i);
522 } 531 }
523 532
524 var new_length = n + m; 533 var new_length = n + m;
525 array.length = new_length; 534 array.length = new_length;
526 return new_length; 535 return new_length;
527 } 536 }
528 537
529 538
(...skipping 1142 matching lines...) Expand 10 before | Expand all | Expand 10 after
1672 %InstallToContext([ 1681 %InstallToContext([
1673 "array_pop", ArrayPop, 1682 "array_pop", ArrayPop,
1674 "array_push", ArrayPush, 1683 "array_push", ArrayPush,
1675 "array_shift", ArrayShift, 1684 "array_shift", ArrayShift,
1676 "array_splice", ArraySplice, 1685 "array_splice", ArraySplice,
1677 "array_slice", ArraySlice, 1686 "array_slice", ArraySlice,
1678 "array_unshift", ArrayUnshift, 1687 "array_unshift", ArrayUnshift,
1679 ]); 1688 ]);
1680 1689
1681 }); 1690 });
OLDNEW
« no previous file with comments | « no previous file | src/messages.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698