Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(285)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/js/array.js

Issue 1428483002: Check that array length stays a safe integer in Array.prototype.push (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Error should be a TypeError, not a RangeError Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | src/messages.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 (function(global, utils, extrasUtils) { 5 (function(global, utils, extrasUtils) {
6 6
7 "use strict"; 7 "use strict";
8 8
9 %CheckIsBootstrapping(); 9 %CheckIsBootstrapping();
10 10
(...skipping 499 matching lines...) Expand 10 before | Expand all | Expand 10 after
510 function ArrayPush() { 510 function ArrayPush() {
511 CHECK_OBJECT_COERCIBLE(this, "Array.prototype.push"); 511 CHECK_OBJECT_COERCIBLE(this, "Array.prototype.push");
512 512
513 if (%IsObserved(this)) 513 if (%IsObserved(this))
514 return ObservedArrayPush.apply(this, arguments); 514 return ObservedArrayPush.apply(this, arguments);
515 515
516 var array = TO_OBJECT(this); 516 var array = TO_OBJECT(this);
517 var n = TO_LENGTH_OR_UINT32(array.length); 517 var n = TO_LENGTH_OR_UINT32(array.length);
518 var m = %_ArgumentsLength(); 518 var m = %_ArgumentsLength();
519 519
520 // The length of arguments can never be more than 2 ** 32, so
adamk 2015/10/26 21:21:02 It looks to me like it can't be more than 2**16, a
Dan Ehrenberg 2015/10/26 22:59:31 We talked about this offline. Apparently it can be
521 // we can do the comparison after subtracting that much from
522 // the length in order to avoid integer overflow.
adamk 2015/10/26 21:21:03 Is this math necessary to get the right answer or
Dan Ehrenberg 2015/10/26 22:59:31 It's necessary for the answer. Without that change
523 if ((n - (1 << 32)) + m > kMaxSafeInteger - (1 << 32)) {
524 throw MakeTypeError(kPushPastSafeLength, m, n);
adamk 2015/10/26 21:21:02 Nit: indentation off, needs one more leading space
Dan Ehrenberg 2015/10/26 22:59:31 Fixed
525 }
526
520 for (var i = 0; i < m; i++) { 527 for (var i = 0; i < m; i++) {
521 array[i+n] = %_Arguments(i); 528 array[i+n] = %_Arguments(i);
522 } 529 }
523 530
524 var new_length = n + m; 531 var new_length = n + m;
525 array.length = new_length; 532 array.length = new_length;
526 return new_length; 533 return new_length;
527 } 534 }
528 535
529 536
(...skipping 1142 matching lines...) Expand 10 before | Expand all | Expand 10 after
1672 %InstallToContext([ 1679 %InstallToContext([
1673 "array_pop", ArrayPop, 1680 "array_pop", ArrayPop,
1674 "array_push", ArrayPush, 1681 "array_push", ArrayPush,
1675 "array_shift", ArrayShift, 1682 "array_shift", ArrayShift,
1676 "array_splice", ArraySplice, 1683 "array_splice", ArraySplice,
1677 "array_slice", ArraySlice, 1684 "array_slice", ArraySlice,
1678 "array_unshift", ArrayUnshift, 1685 "array_unshift", ArrayUnshift,
1679 ]); 1686 ]);
1680 1687
1681 }); 1688 });
OLDNEW
« no previous file with comments | « no previous file | src/messages.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698