Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(703)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins.cc

Issue 1782443002: Ensure appropriate bounds checking for Array subclass concat (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-592340.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/builtins.h" 5 #include "src/builtins.h"
6 6
7 #include "src/api.h" 7 #include "src/api.h"
8 #include "src/api-natives.h" 8 #include "src/api-natives.h"
9 #include "src/arguments.h" 9 #include "src/arguments.h"
10 #include "src/base/once.h" 10 #include "src/base/once.h"
(...skipping 653 matching lines...) Expand 10 before | Expand all | Expand 10 after
664 ExceedsLimitField::encode(false) | 664 ExceedsLimitField::encode(false) |
665 IsFixedArrayField::encode(storage->IsFixedArray())) { 665 IsFixedArrayField::encode(storage->IsFixedArray())) {
666 DCHECK(!(this->fast_elements() && !is_fixed_array())); 666 DCHECK(!(this->fast_elements() && !is_fixed_array()));
667 } 667 }
668 668
669 ~ArrayConcatVisitor() { clear_storage(); } 669 ~ArrayConcatVisitor() { clear_storage(); }
670 670
671 bool visit(uint32_t i, Handle<Object> elm) { 671 bool visit(uint32_t i, Handle<Object> elm) {
672 uint32_t index = index_offset_ + i; 672 uint32_t index = index_offset_ + i;
673 673
674 if (!is_fixed_array()) {
675 Handle<Object> element_value;
676 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
677 isolate_, element_value,
678 Object::SetElement(isolate_, storage_, index, elm, STRICT), false);
679 return true;
680 }
681
682 if (i >= JSObject::kMaxElementCount - index_offset_) { 674 if (i >= JSObject::kMaxElementCount - index_offset_) {
683 set_exceeds_array_limit(true); 675 set_exceeds_array_limit(true);
684 // Exception hasn't been thrown at this point. Return true to 676 // Exception hasn't been thrown at this point. Return true to
685 // break out, and caller will throw. !visit would imply that 677 // break out, and caller will throw. !visit would imply that
686 // there is already a pending exception. 678 // there is already a pending exception.
687 return true; 679 return true;
688 } 680 }
689 681
682 if (!is_fixed_array()) {
683 Handle<Object> element_value;
684 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
685 isolate_, element_value,
686 Object::SetElement(isolate_, storage_, index, elm, STRICT), false);
687 return true;
688 }
689
690 if (fast_elements()) { 690 if (fast_elements()) {
691 if (index < static_cast<uint32_t>(storage_fixed_array()->length())) { 691 if (index < static_cast<uint32_t>(storage_fixed_array()->length())) {
692 storage_fixed_array()->set(index, *elm); 692 storage_fixed_array()->set(index, *elm);
693 return true; 693 return true;
694 } 694 }
695 // Our initial estimate of length was foiled, possibly by 695 // Our initial estimate of length was foiled, possibly by
696 // getters on the arrays increasing the length of later arrays 696 // getters on the arrays increasing the length of later arrays
697 // during iteration. 697 // during iteration.
698 // This shouldn't happen in anything but pathological cases. 698 // This shouldn't happen in anything but pathological cases.
699 SetDictionaryMode(); 699 SetDictionaryMode();
(...skipping 3836 matching lines...) Expand 10 before | Expand all | Expand 10 after
4536 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C) 4536 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C)
4537 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A) 4537 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A)
4538 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H) 4538 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H)
4539 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) 4539 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
4540 #undef DEFINE_BUILTIN_ACCESSOR_C 4540 #undef DEFINE_BUILTIN_ACCESSOR_C
4541 #undef DEFINE_BUILTIN_ACCESSOR_A 4541 #undef DEFINE_BUILTIN_ACCESSOR_A
4542 4542
4543 4543
4544 } // namespace internal 4544 } // namespace internal
4545 } // namespace v8 4545 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-592340.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698