Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1468)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/runtime/runtime-typedarray.cc

Issue 2377943002: [typedarray] Properly initialize JSTypedArray::length with Smi. (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-650933.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 the V8 project authors. All rights reserved. 1 // Copyright 2014 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/runtime/runtime-utils.h" 5 #include "src/runtime/runtime-utils.h"
6 6
7 #include "src/arguments.h" 7 #include "src/arguments.h"
8 #include "src/factory.h" 8 #include "src/factory.h"
9 #include "src/messages.h" 9 #include "src/messages.h"
10 #include "src/objects-inl.h" 10 #include "src/objects-inl.h"
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after
193 ElementsKind fixed_elements_kind = INT8_ELEMENTS; // Bogus initialization. 193 ElementsKind fixed_elements_kind = INT8_ELEMENTS; // Bogus initialization.
194 Runtime::ArrayIdToTypeAndSize(arrayId, &array_type, &fixed_elements_kind, 194 Runtime::ArrayIdToTypeAndSize(arrayId, &array_type, &fixed_elements_kind,
195 &element_size); 195 &element_size);
196 196
197 CHECK(holder->map()->elements_kind() == fixed_elements_kind); 197 CHECK(holder->map()->elements_kind() == fixed_elements_kind);
198 198
199 Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer(); 199 Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
200 size_t length = 0; 200 size_t length = 0;
201 if (source->IsJSTypedArray() && 201 if (source->IsJSTypedArray() &&
202 JSTypedArray::cast(*source)->type() == array_type) { 202 JSTypedArray::cast(*source)->type() == array_type) {
203 length_obj = handle(JSTypedArray::cast(*source)->length(), isolate);
204 length = JSTypedArray::cast(*source)->length_value(); 203 length = JSTypedArray::cast(*source)->length_value();
205 } else { 204 } else {
206 CHECK(TryNumberToSize(*length_obj, &length)); 205 CHECK(TryNumberToSize(*length_obj, &length));
207 CHECK(length_obj->IsSmi());
208 } 206 }
209 207
210 if ((length > static_cast<unsigned>(Smi::kMaxValue)) || 208 if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
211 (length > (kMaxInt / element_size))) { 209 (length > (kMaxInt / element_size))) {
212 THROW_NEW_ERROR_RETURN_FAILURE( 210 THROW_NEW_ERROR_RETURN_FAILURE(
213 isolate, NewRangeError(MessageTemplate::kInvalidTypedArrayLength)); 211 isolate, NewRangeError(MessageTemplate::kInvalidTypedArrayLength));
214 } 212 }
215 size_t byte_length = length * element_size; 213 size_t byte_length = length * element_size;
216 214
217 DCHECK_EQ(v8::ArrayBufferView::kInternalFieldCount, 215 DCHECK_EQ(v8::ArrayBufferView::kInternalFieldCount,
(...skipping 22 matching lines...) Expand all
240 false)) { 238 false)) {
241 THROW_NEW_ERROR_RETURN_FAILURE( 239 THROW_NEW_ERROR_RETURN_FAILURE(
242 isolate, NewRangeError(MessageTemplate::kInvalidArrayBufferLength)); 240 isolate, NewRangeError(MessageTemplate::kInvalidArrayBufferLength));
243 } 241 }
244 242
245 holder->set_buffer(*buffer); 243 holder->set_buffer(*buffer);
246 holder->set_byte_offset(Smi::FromInt(0)); 244 holder->set_byte_offset(Smi::FromInt(0));
247 Handle<Object> byte_length_obj( 245 Handle<Object> byte_length_obj(
248 isolate->factory()->NewNumberFromSize(byte_length)); 246 isolate->factory()->NewNumberFromSize(byte_length));
249 holder->set_byte_length(*byte_length_obj); 247 holder->set_byte_length(*byte_length_obj);
248 length_obj = isolate->factory()->NewNumberFromSize(length);
250 holder->set_length(*length_obj); 249 holder->set_length(*length_obj);
251 250
252 Handle<FixedTypedArrayBase> elements = 251 Handle<FixedTypedArrayBase> elements =
253 isolate->factory()->NewFixedTypedArrayWithExternalPointer( 252 isolate->factory()->NewFixedTypedArrayWithExternalPointer(
254 static_cast<int>(length), array_type, 253 static_cast<int>(length), array_type,
255 static_cast<uint8_t*>(buffer->backing_store())); 254 static_cast<uint8_t*>(buffer->backing_store()));
256 holder->set_elements(*elements); 255 holder->set_elements(*elements);
257 256
258 if (source->IsJSTypedArray()) { 257 if (source->IsJSTypedArray()) {
259 Handle<JSTypedArray> typed_array(JSTypedArray::cast(*source)); 258 Handle<JSTypedArray> typed_array(JSTypedArray::cast(*source));
(...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after
415 return isolate->heap()->false_value(); 414 return isolate->heap()->false_value();
416 } 415 }
417 416
418 Handle<JSTypedArray> obj(JSTypedArray::cast(args[0])); 417 Handle<JSTypedArray> obj(JSTypedArray::cast(args[0]));
419 return isolate->heap()->ToBoolean(obj->GetBuffer()->is_shared() && 418 return isolate->heap()->ToBoolean(obj->GetBuffer()->is_shared() &&
420 obj->type() == kExternalInt32Array); 419 obj->type() == kExternalInt32Array);
421 } 420 }
422 421
423 } // namespace internal 422 } // namespace internal
424 } // namespace v8 423 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-650933.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698