Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(440)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins.cc

Issue 1863553003: [elements] Fix length bounds precheck for Array.prototype.concat (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: compare properly Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | src/elements.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/builtins.h" 5 #include "src/builtins.h"
6 6
7 #include "src/api.h" 7 #include "src/api.h"
8 #include "src/api-arguments.h" 8 #include "src/api-arguments.h"
9 #include "src/api-natives.h" 9 #include "src/api-natives.h"
10 #include "src/base/once.h" 10 #include "src/base/once.h"
(...skipping 1510 matching lines...) Expand 10 before | Expand all | Expand 10 after
1521 1521
1522 if (is_array_species) { 1522 if (is_array_species) {
1523 return *visitor.ToArray(); 1523 return *visitor.ToArray();
1524 } else { 1524 } else {
1525 return *visitor.storage_jsreceiver(); 1525 return *visitor.storage_jsreceiver();
1526 } 1526 }
1527 } 1527 }
1528 1528
1529 1529
1530 MaybeHandle<JSArray> Fast_ArrayConcat(Isolate* isolate, Arguments* args) { 1530 MaybeHandle<JSArray> Fast_ArrayConcat(Isolate* isolate, Arguments* args) {
1531 // We shouldn't overflow when adding another len.
1532 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2);
1533 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt);
1534 STATIC_ASSERT(FixedDoubleArray::kMaxLength < kHalfOfMaxInt);
1535 USE(kHalfOfMaxInt);
1536
1531 int n_arguments = args->length(); 1537 int n_arguments = args->length();
1532 int result_len = 0; 1538 int result_len = 0;
1533 { 1539 {
1534 DisallowHeapAllocation no_gc; 1540 DisallowHeapAllocation no_gc;
1535 // Iterate through all the arguments performing checks 1541 // Iterate through all the arguments performing checks
1536 // and calculating total length. 1542 // and calculating total length.
1537 for (int i = 0; i < n_arguments; i++) { 1543 for (int i = 0; i < n_arguments; i++) {
1538 Object* arg = (*args)[i]; 1544 Object* arg = (*args)[i];
1539 if (!arg->IsJSArray()) return MaybeHandle<JSArray>(); 1545 if (!arg->IsJSArray()) return MaybeHandle<JSArray>();
1540 if (!JSObject::cast(arg)->HasFastElements()) { 1546 if (!JSObject::cast(arg)->HasFastElements()) {
1541 return MaybeHandle<JSArray>(); 1547 return MaybeHandle<JSArray>();
1542 } 1548 }
1543 if (!HasOnlySimpleReceiverElements(isolate, JSObject::cast(arg))) { 1549 if (!HasOnlySimpleReceiverElements(isolate, JSObject::cast(arg))) {
1544 return MaybeHandle<JSArray>(); 1550 return MaybeHandle<JSArray>();
1545 } 1551 }
1546 Handle<JSArray> array(JSArray::cast(arg), isolate); 1552 Handle<JSArray> array(JSArray::cast(arg), isolate);
1547 if (HasConcatSpreadableModifier(isolate, array)) { 1553 if (HasConcatSpreadableModifier(isolate, array)) {
1548 return MaybeHandle<JSArray>(); 1554 return MaybeHandle<JSArray>();
1549 } 1555 }
1550 int len = Smi::cast(array->length())->value(); 1556 // The Array length is guaranted to be <= kHalfOfMaxInt thus we won't
1551 1557 // overflow.
1552 // We shouldn't overflow when adding another len. 1558 result_len += Smi::cast(array->length())->value();
1553 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2);
1554 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt);
1555 USE(kHalfOfMaxInt);
1556 result_len += len;
1557 DCHECK(result_len >= 0); 1559 DCHECK(result_len >= 0);
1558 // Throw an Error if we overflow the FixedArray limits 1560 // Throw an Error if we overflow the FixedArray limits
1559 if (FixedArray::kMaxLength < result_len) { 1561 if (FixedDoubleArray::kMaxLength < result_len ||
1562 FixedArray::kMaxLength < result_len) {
1563 AllowHeapAllocation allow_gc;
1560 THROW_NEW_ERROR(isolate, 1564 THROW_NEW_ERROR(isolate,
1561 NewRangeError(MessageTemplate::kInvalidArrayLength), 1565 NewRangeError(MessageTemplate::kInvalidArrayLength),
1562 JSArray); 1566 JSArray);
1563 } 1567 }
1564 } 1568 }
1565 } 1569 }
1566 return ElementsAccessor::Concat(isolate, args, n_arguments); 1570 return ElementsAccessor::Concat(isolate, args, n_arguments);
1567 } 1571 }
1568 1572
1569 } // namespace 1573 } // namespace
(...skipping 3271 matching lines...) Expand 10 before | Expand all | Expand 10 after
4841 BUILTIN_LIST_T(DEFINE_BUILTIN_ACCESSOR_T) 4845 BUILTIN_LIST_T(DEFINE_BUILTIN_ACCESSOR_T)
4842 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H) 4846 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H)
4843 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) 4847 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
4844 #undef DEFINE_BUILTIN_ACCESSOR_C 4848 #undef DEFINE_BUILTIN_ACCESSOR_C
4845 #undef DEFINE_BUILTIN_ACCESSOR_A 4849 #undef DEFINE_BUILTIN_ACCESSOR_A
4846 #undef DEFINE_BUILTIN_ACCESSOR_T 4850 #undef DEFINE_BUILTIN_ACCESSOR_T
4847 #undef DEFINE_BUILTIN_ACCESSOR_H 4851 #undef DEFINE_BUILTIN_ACCESSOR_H
4848 4852
4849 } // namespace internal 4853 } // namespace internal
4850 } // namespace v8 4854 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | src/elements.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698