 Chromium Code Reviews
 Chromium Code Reviews Issue 225983005:
  Make TypedArray::New fucntions crash on wrong lengths.  (Closed) 
  Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
    
  
    Issue 225983005:
  Make TypedArray::New fucntions crash on wrong lengths.  (Closed) 
  Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge| OLD | NEW | 
|---|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. | 
| 2 // Redistribution and use in source and binary forms, with or without | 2 // Redistribution and use in source and binary forms, with or without | 
| 3 // modification, are permitted provided that the following conditions are | 3 // modification, are permitted provided that the following conditions are | 
| 4 // met: | 4 // met: | 
| 5 // | 5 // | 
| 6 // * Redistributions of source code must retain the above copyright | 6 // * Redistributions of source code must retain the above copyright | 
| 7 // notice, this list of conditions and the following disclaimer. | 7 // notice, this list of conditions and the following disclaimer. | 
| 8 // * Redistributions in binary form must reproduce the above | 8 // * Redistributions in binary form must reproduce the above | 
| 9 // copyright notice, this list of conditions and the following | 9 // copyright notice, this list of conditions and the following | 
| 10 // disclaimer in the documentation and/or other materials provided | 10 // disclaimer in the documentation and/or other materials provided | 
| (...skipping 6057 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 6068 i::Handle<i::JSTypedArray> NewTypedArray( | 6068 i::Handle<i::JSTypedArray> NewTypedArray( | 
| 6069 i::Isolate* isolate, | 6069 i::Isolate* isolate, | 
| 6070 Handle<ArrayBuffer> array_buffer, size_t byte_offset, size_t length) { | 6070 Handle<ArrayBuffer> array_buffer, size_t byte_offset, size_t length) { | 
| 6071 i::Handle<i::JSTypedArray> obj = | 6071 i::Handle<i::JSTypedArray> obj = | 
| 6072 isolate->factory()->NewJSTypedArray(array_type); | 6072 isolate->factory()->NewJSTypedArray(array_type); | 
| 6073 i::Handle<i::JSArrayBuffer> buffer = Utils::OpenHandle(*array_buffer); | 6073 i::Handle<i::JSArrayBuffer> buffer = Utils::OpenHandle(*array_buffer); | 
| 6074 | 6074 | 
| 6075 ASSERT(byte_offset % sizeof(ElementType) == 0); | 6075 ASSERT(byte_offset % sizeof(ElementType) == 0); | 
| 6076 | 6076 | 
| 6077 CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType))); | 6077 CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType))); | 
| 6078 CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue)); | |
| 
Jakob Kummerow
2014/04/06 11:41:15
With the change below we should never hit this cas
 
Dmitry Lomov (no reviews)
2014/04/07 05:54:22
Exactly.
 | |
| 6078 size_t byte_length = length * sizeof(ElementType); | 6079 size_t byte_length = length * sizeof(ElementType); | 
| 6079 SetupArrayBufferView( | 6080 SetupArrayBufferView( | 
| 6080 isolate, obj, buffer, byte_offset, byte_length); | 6081 isolate, obj, buffer, byte_offset, byte_length); | 
| 6081 | 6082 | 
| 6082 i::Handle<i::Object> length_object = | 6083 i::Handle<i::Object> length_object = | 
| 6083 isolate->factory()->NewNumberFromSize(length); | 6084 isolate->factory()->NewNumberFromSize(length); | 
| 6084 obj->set_length(*length_object); | 6085 obj->set_length(*length_object); | 
| 6085 | 6086 | 
| 6086 i::Handle<i::ExternalArray> elements = | 6087 i::Handle<i::ExternalArray> elements = | 
| 6087 isolate->factory()->NewExternalArray( | 6088 isolate->factory()->NewExternalArray( | 
| 6088 static_cast<int>(length), array_type, | 6089 static_cast<int>(length), array_type, | 
| 6089 static_cast<uint8_t*>(buffer->backing_store()) + byte_offset); | 6090 static_cast<uint8_t*>(buffer->backing_store()) + byte_offset); | 
| 6090 i::Handle<i::Map> map = | 6091 i::Handle<i::Map> map = | 
| 6091 i::JSObject::GetElementsTransitionMap(obj, elements_kind); | 6092 i::JSObject::GetElementsTransitionMap(obj, elements_kind); | 
| 6092 i::JSObject::SetMapAndElements(obj, map, elements); | 6093 i::JSObject::SetMapAndElements(obj, map, elements); | 
| 6093 return obj; | 6094 return obj; | 
| 6094 } | 6095 } | 
| 6095 | 6096 | 
| 6096 | 6097 | 
| 6097 #define TYPED_ARRAY_NEW(Type, type, TYPE, ctype, size) \ | 6098 #define TYPED_ARRAY_NEW(Type, type, TYPE, ctype, size) \ | 
| 6098 Local<Type##Array> Type##Array::New(Handle<ArrayBuffer> array_buffer, \ | 6099 Local<Type##Array> Type##Array::New(Handle<ArrayBuffer> array_buffer, \ | 
| 6099 size_t byte_offset, size_t length) { \ | 6100 size_t byte_offset, size_t length) { \ | 
| 6100 i::Isolate* isolate = i::Isolate::Current(); \ | 6101 i::Isolate* isolate = i::Isolate::Current(); \ | 
| 6101 EnsureInitializedForIsolate(isolate, \ | 6102 EnsureInitializedForIsolate(isolate, \ | 
| 6102 "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \ | 6103 "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \ | 
| 6103 LOG_API(isolate, \ | 6104 LOG_API(isolate, \ | 
| 6104 "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \ | 6105 "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \ | 
| 6105 ENTER_V8(isolate); \ | 6106 ENTER_V8(isolate); \ | 
| 6107 if (!Utils::ApiCheck(length <= static_cast<size_t>(i::Smi::kMaxValue), \ | |
| 6108 "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)", \ | |
| 6109 "length exceeds max allowed value")) { \ | |
| 6110 return Local<Type##Array>(); \ | |
| 
Jakob Kummerow
2014/04/06 11:41:15
nit: indentation (2 spaces is enough)
 
Dmitry Lomov (no reviews)
2014/04/07 05:54:22
Done.
 | |
| 6111 } \ | |
| 6106 i::Handle<i::JSTypedArray> obj = \ | 6112 i::Handle<i::JSTypedArray> obj = \ | 
| 6107 NewTypedArray<ctype, v8::kExternal##Type##Array, \ | 6113 NewTypedArray<ctype, v8::kExternal##Type##Array, \ | 
| 6108 i::EXTERNAL_##TYPE##_ELEMENTS>( \ | 6114 i::EXTERNAL_##TYPE##_ELEMENTS>( \ | 
| 6109 isolate, array_buffer, byte_offset, length); \ | 6115 isolate, array_buffer, byte_offset, length); \ | 
| 6110 return Utils::ToLocal##Type##Array(obj); \ | 6116 return Utils::ToLocal##Type##Array(obj); \ | 
| 6111 } | 6117 } | 
| 6112 | 6118 | 
| 6113 | 6119 | 
| 6114 TYPED_ARRAYS(TYPED_ARRAY_NEW) | 6120 TYPED_ARRAYS(TYPED_ARRAY_NEW) | 
| 6115 #undef TYPED_ARRAY_NEW | 6121 #undef TYPED_ARRAY_NEW | 
| (...skipping 1546 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7662 Isolate* isolate = reinterpret_cast<Isolate*>(info.GetIsolate()); | 7668 Isolate* isolate = reinterpret_cast<Isolate*>(info.GetIsolate()); | 
| 7663 Address callback_address = | 7669 Address callback_address = | 
| 7664 reinterpret_cast<Address>(reinterpret_cast<intptr_t>(callback)); | 7670 reinterpret_cast<Address>(reinterpret_cast<intptr_t>(callback)); | 
| 7665 VMState<EXTERNAL> state(isolate); | 7671 VMState<EXTERNAL> state(isolate); | 
| 7666 ExternalCallbackScope call_scope(isolate, callback_address); | 7672 ExternalCallbackScope call_scope(isolate, callback_address); | 
| 7667 callback(info); | 7673 callback(info); | 
| 7668 } | 7674 } | 
| 7669 | 7675 | 
| 7670 | 7676 | 
| 7671 } } // namespace v8::internal | 7677 } } // namespace v8::internal | 
| OLD | NEW |