Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(441)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/elements.cc

Issue 1863553003: [elements] Fix length bounds precheck for Array.prototype.concat (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: compare properly Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/builtins.cc ('k') | test/mjsunit/regress/regress-599414-array-concat-fast-path.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/elements.h" 5 #include "src/elements.h"
6 6
7 #include "src/arguments.h" 7 #include "src/arguments.h"
8 #include "src/conversions.h" 8 #include "src/conversions.h"
9 #include "src/factory.h" 9 #include "src/factory.h"
10 #include "src/isolate-inl.h" 10 #include "src/isolate-inl.h"
(...skipping 2960 matching lines...) Expand 10 before | Expand all | Expand 10 after
2971 if (elements_accessors_ == NULL) return; 2971 if (elements_accessors_ == NULL) return;
2972 #define ACCESSOR_DELETE(Class, Kind, Store) delete elements_accessors_[Kind]; 2972 #define ACCESSOR_DELETE(Class, Kind, Store) delete elements_accessors_[Kind];
2973 ELEMENTS_LIST(ACCESSOR_DELETE) 2973 ELEMENTS_LIST(ACCESSOR_DELETE)
2974 #undef ACCESSOR_DELETE 2974 #undef ACCESSOR_DELETE
2975 elements_accessors_ = NULL; 2975 elements_accessors_ = NULL;
2976 } 2976 }
2977 2977
2978 2978
2979 Handle<JSArray> ElementsAccessor::Concat(Isolate* isolate, Arguments* args, 2979 Handle<JSArray> ElementsAccessor::Concat(Isolate* isolate, Arguments* args,
2980 uint32_t concat_size) { 2980 uint32_t concat_size) {
2981 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2);
2982 STATIC_ASSERT(FixedDoubleArray::kMaxLength < kHalfOfMaxInt);
2983 USE(kHalfOfMaxInt);
2981 uint32_t result_len = 0; 2984 uint32_t result_len = 0;
2982 bool has_raw_doubles = false; 2985 bool has_raw_doubles = false;
2983 ElementsKind result_elements_kind = GetInitialFastElementsKind(); 2986 ElementsKind result_elements_kind = GetInitialFastElementsKind();
2984 { 2987 {
2985 DisallowHeapAllocation no_gc; 2988 DisallowHeapAllocation no_gc;
2986 bool is_holey = false; 2989 bool is_holey = false;
2987 // Iterate through all the arguments performing checks 2990 // Iterate through all the arguments performing checks
2988 // and calculating total length. 2991 // and calculating total length.
2989 for (uint32_t i = 0; i < concat_size; i++) { 2992 for (uint32_t i = 0; i < concat_size; i++) {
2990 JSArray* array = JSArray::cast((*args)[i]); 2993 JSArray* array = JSArray::cast((*args)[i]);
2991 uint32_t len = 0; 2994 uint32_t len = 0;
2992 array->length()->ToArrayLength(&len); 2995 array->length()->ToArrayLength(&len);
2993 2996
2994 // We shouldn't overflow when adding another len. 2997 // We shouldn't overflow when adding another len.
2995 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2);
2996 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt);
2997 USE(kHalfOfMaxInt);
2998 result_len += len; 2998 result_len += len;
2999 DCHECK(0 <= result_len); 2999 DCHECK(0 <= result_len);
3000 DCHECK(result_len <= FixedDoubleArray::kMaxLength); 3000 DCHECK(result_len <= FixedDoubleArray::kMaxLength);
3001 3001
3002 ElementsKind arg_kind = array->GetElementsKind(); 3002 ElementsKind arg_kind = array->GetElementsKind();
3003 has_raw_doubles = has_raw_doubles || IsFastDoubleElementsKind(arg_kind); 3003 has_raw_doubles = has_raw_doubles || IsFastDoubleElementsKind(arg_kind);
3004 is_holey = is_holey || IsFastHoleyElementsKind(arg_kind); 3004 is_holey = is_holey || IsFastHoleyElementsKind(arg_kind);
3005 result_elements_kind = 3005 result_elements_kind =
3006 GetMoreGeneralElementsKind(result_elements_kind, arg_kind); 3006 GetMoreGeneralElementsKind(result_elements_kind, arg_kind);
3007 } 3007 }
(...skipping 29 matching lines...) Expand all
3037 insertion_index += len; 3037 insertion_index += len;
3038 } 3038 }
3039 3039
3040 DCHECK_EQ(insertion_index, result_len); 3040 DCHECK_EQ(insertion_index, result_len);
3041 return result_array; 3041 return result_array;
3042 } 3042 }
3043 3043
3044 ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL; 3044 ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL;
3045 } // namespace internal 3045 } // namespace internal
3046 } // namespace v8 3046 } // namespace v8
OLDNEW
« no previous file with comments | « src/builtins.cc ('k') | test/mjsunit/regress/regress-599414-array-concat-fast-path.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698