Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(270)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/runtime/runtime-typedarray.cc

Issue 2373013002: [typedarray] Really check that the JSTypedArray::length is always a Smi. (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/objects-debug.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 the V8 project authors. All rights reserved. 1 // Copyright 2014 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/runtime/runtime-utils.h" 5 #include "src/runtime/runtime-utils.h"
6 6
7 #include "src/arguments.h" 7 #include "src/arguments.h"
8 #include "src/factory.h" 8 #include "src/factory.h"
9 #include "src/messages.h" 9 #include "src/messages.h"
10 #include "src/objects-inl.h" 10 #include "src/objects-inl.h"
(...skipping 186 matching lines...) Expand 10 before | Expand all | Expand 10 after
197 CHECK(holder->map()->elements_kind() == fixed_elements_kind); 197 CHECK(holder->map()->elements_kind() == fixed_elements_kind);
198 198
199 Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer(); 199 Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
200 size_t length = 0; 200 size_t length = 0;
201 if (source->IsJSTypedArray() && 201 if (source->IsJSTypedArray() &&
202 JSTypedArray::cast(*source)->type() == array_type) { 202 JSTypedArray::cast(*source)->type() == array_type) {
203 length_obj = handle(JSTypedArray::cast(*source)->length(), isolate); 203 length_obj = handle(JSTypedArray::cast(*source)->length(), isolate);
204 length = JSTypedArray::cast(*source)->length_value(); 204 length = JSTypedArray::cast(*source)->length_value();
205 } else { 205 } else {
206 CHECK(TryNumberToSize(*length_obj, &length)); 206 CHECK(TryNumberToSize(*length_obj, &length));
207 CHECK(length_obj->IsSmi());
207 } 208 }
208 209
209 if ((length > static_cast<unsigned>(Smi::kMaxValue)) || 210 if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
210 (length > (kMaxInt / element_size))) { 211 (length > (kMaxInt / element_size))) {
211 THROW_NEW_ERROR_RETURN_FAILURE( 212 THROW_NEW_ERROR_RETURN_FAILURE(
212 isolate, NewRangeError(MessageTemplate::kInvalidTypedArrayLength)); 213 isolate, NewRangeError(MessageTemplate::kInvalidTypedArrayLength));
213 } 214 }
214 size_t byte_length = length * element_size; 215 size_t byte_length = length * element_size;
215 216
216 DCHECK_EQ(v8::ArrayBufferView::kInternalFieldCount, 217 DCHECK_EQ(v8::ArrayBufferView::kInternalFieldCount,
(...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after
414 return isolate->heap()->false_value(); 415 return isolate->heap()->false_value();
415 } 416 }
416 417
417 Handle<JSTypedArray> obj(JSTypedArray::cast(args[0])); 418 Handle<JSTypedArray> obj(JSTypedArray::cast(args[0]));
418 return isolate->heap()->ToBoolean(obj->GetBuffer()->is_shared() && 419 return isolate->heap()->ToBoolean(obj->GetBuffer()->is_shared() &&
419 obj->type() == kExternalInt32Array); 420 obj->type() == kExternalInt32Array);
420 } 421 }
421 422
422 } // namespace internal 423 } // namespace internal
423 } // namespace v8 424 } // namespace v8
OLDNEW
« no previous file with comments | « src/objects-debug.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698