Chromium Code Reviews Chromium Code Reviews
Issue 1863553003:
[elements] Fix length bounds precheck for Array.prototype.concat (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/elements.h" | 5 #include "src/elements.h" |
| 6 | 6 |
| 7 #include "src/arguments.h" | 7 #include "src/arguments.h" |
| 8 #include "src/conversions.h" | 8 #include "src/conversions.h" |
| 9 #include "src/factory.h" | 9 #include "src/factory.h" |
| 10 #include "src/isolate-inl.h" | 10 #include "src/isolate-inl.h" |
| (...skipping 2975 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2986 bool is_holey = false; | 2986 bool is_holey = false; |
| 2987 // Iterate through all the arguments performing checks | 2987 // Iterate through all the arguments performing checks |
| 2988 // and calculating total length. | 2988 // and calculating total length. |
| 2989 for (uint32_t i = 0; i < concat_size; i++) { | 2989 for (uint32_t i = 0; i < concat_size; i++) { |
| 2990 JSArray* array = JSArray::cast((*args)[i]); | 2990 JSArray* array = JSArray::cast((*args)[i]); |
| 2991 uint32_t len = 0; | 2991 uint32_t len = 0; |
| 2992 array->length()->ToArrayLength(&len); | 2992 array->length()->ToArrayLength(&len); |
| 2993 | 2993 |
| 2994 // We shouldn't overflow when adding another len. | 2994 // We shouldn't overflow when adding another len. |
| 2995 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2); | 2995 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2); |
| 2996 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt); | 2996 STATIC_ASSERT(FixedDoubleArray::kMaxLength < kHalfOfMaxInt); |
|
Igor Sheludko
2016/04/05 12:53:27
You could probably also hoist these checks out of
Camillo Bruni
2016/04/05 15:07:48
done
| |
| 2997 USE(kHalfOfMaxInt); | 2997 USE(kHalfOfMaxInt); |
| 2998 result_len += len; | 2998 result_len += len; |
| 2999 DCHECK(0 <= result_len); | 2999 DCHECK(0 <= result_len); |
| 3000 DCHECK(result_len <= FixedDoubleArray::kMaxLength); | 3000 DCHECK(result_len <= FixedDoubleArray::kMaxLength); |
|
Igor Sheludko
2016/04/05 12:53:27
How about also adding:
STATIC_ASSERT(FixedDouble
| |
| 3001 | 3001 |
| 3002 ElementsKind arg_kind = array->GetElementsKind(); | 3002 ElementsKind arg_kind = array->GetElementsKind(); |
| 3003 has_raw_doubles = has_raw_doubles || IsFastDoubleElementsKind(arg_kind); | 3003 has_raw_doubles = has_raw_doubles || IsFastDoubleElementsKind(arg_kind); |
| 3004 is_holey = is_holey || IsFastHoleyElementsKind(arg_kind); | 3004 is_holey = is_holey || IsFastHoleyElementsKind(arg_kind); |
| 3005 result_elements_kind = | 3005 result_elements_kind = |
| 3006 GetMoreGeneralElementsKind(result_elements_kind, arg_kind); | 3006 GetMoreGeneralElementsKind(result_elements_kind, arg_kind); |
| 3007 } | 3007 } |
| 3008 if (is_holey) { | 3008 if (is_holey) { |
| 3009 result_elements_kind = GetHoleyElementsKind(result_elements_kind); | 3009 result_elements_kind = GetHoleyElementsKind(result_elements_kind); |
| 3010 } | 3010 } |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 3037 insertion_index += len; | 3037 insertion_index += len; |
| 3038 } | 3038 } |
| 3039 | 3039 |
| 3040 DCHECK_EQ(insertion_index, result_len); | 3040 DCHECK_EQ(insertion_index, result_len); |
| 3041 return result_array; | 3041 return result_array; |
| 3042 } | 3042 } |
| 3043 | 3043 |
| 3044 ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL; | 3044 ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL; |
| 3045 } // namespace internal | 3045 } // namespace internal |
| 3046 } // namespace v8 | 3046 } // namespace v8 |
| OLD | NEW |
