| OLD | NEW |
|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/value-serializer.h" | 5 #include "src/value-serializer.h" |
| 6 | 6 |
| 7 #include <type_traits> | 7 #include <type_traits> |
| 8 | 8 |
| 9 #include "src/base/logging.h" | 9 #include "src/base/logging.h" |
| 10 #include "src/conversions.h" | 10 #include "src/conversions.h" |
| (...skipping 452 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 463 | 463 |
| 464 // To keep things simple, for now we decide between dense and sparse | 464 // To keep things simple, for now we decide between dense and sparse |
| 465 // serialization based on elements kind. A more principled heuristic could | 465 // serialization based on elements kind. A more principled heuristic could |
| 466 // count the elements, but would need to take care to note which indices | 466 // count the elements, but would need to take care to note which indices |
| 467 // existed (as only indices which were enumerable own properties at this point | 467 // existed (as only indices which were enumerable own properties at this point |
| 468 // should be serialized). | 468 // should be serialized). |
| 469 const bool should_serialize_densely = | 469 const bool should_serialize_densely = |
| 470 array->HasFastElements() && !array->HasFastHoleyElements(); | 470 array->HasFastElements() && !array->HasFastHoleyElements(); |
| 471 | 471 |
| 472 if (should_serialize_densely) { | 472 if (should_serialize_densely) { |
| 473 DCHECK_LE(length, static_cast<uint32_t>(FixedArray::kMaxLength)); |
| 474 |
| 473 // TODO(jbroman): Distinguish between undefined and a hole (this can happen | 475 // TODO(jbroman): Distinguish between undefined and a hole (this can happen |
| 474 // if serializing one of the elements deletes another). This requires wire | 476 // if serializing one of the elements deletes another). This requires wire |
| 475 // format changes. | 477 // format changes. |
| 476 WriteTag(SerializationTag::kBeginDenseJSArray); | 478 WriteTag(SerializationTag::kBeginDenseJSArray); |
| 477 WriteVarint<uint32_t>(length); | 479 WriteVarint<uint32_t>(length); |
| 478 uint32_t i = 0; | 480 uint32_t i = 0; |
| 479 | 481 |
| 480 // Fast paths. Note that FAST_ELEMENTS in particular can bail due to the | 482 // Fast paths. Note that FAST_ELEMENTS in particular can bail due to the |
| 481 // structure of the elements changing. | 483 // structure of the elements changing. |
| 482 switch (array->GetElementsKind()) { | 484 switch (array->GetElementsKind()) { |
| (...skipping 675 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1158 } | 1160 } |
| 1159 | 1161 |
| 1160 DCHECK(HasObjectWithID(id)); | 1162 DCHECK(HasObjectWithID(id)); |
| 1161 return scope.CloseAndEscape(array); | 1163 return scope.CloseAndEscape(array); |
| 1162 } | 1164 } |
| 1163 | 1165 |
| 1164 MaybeHandle<JSArray> ValueDeserializer::ReadDenseJSArray() { | 1166 MaybeHandle<JSArray> ValueDeserializer::ReadDenseJSArray() { |
| 1165 // If we are at the end of the stack, abort. This function may recurse. | 1167 // If we are at the end of the stack, abort. This function may recurse. |
| 1166 STACK_CHECK(isolate_, MaybeHandle<JSArray>()); | 1168 STACK_CHECK(isolate_, MaybeHandle<JSArray>()); |
| 1167 | 1169 |
| 1170 // We shouldn't permit an array larger than the biggest we can request from |
| 1171 // V8. As an additional sanity check, since each entry will take at least one |
| 1172 // byte to encode, if there are fewer bytes than that we can also fail fast. |
| 1168 uint32_t length; | 1173 uint32_t length; |
| 1169 if (!ReadVarint<uint32_t>().To(&length)) return MaybeHandle<JSArray>(); | 1174 if (!ReadVarint<uint32_t>().To(&length) || |
| 1175 length > static_cast<uint32_t>(FixedArray::kMaxLength) || |
| 1176 length > static_cast<size_t>(end_ - position_)) { |
| 1177 return MaybeHandle<JSArray>(); |
| 1178 } |
| 1170 | 1179 |
| 1171 uint32_t id = next_id_++; | 1180 uint32_t id = next_id_++; |
| 1172 HandleScope scope(isolate_); | 1181 HandleScope scope(isolate_); |
| 1173 Handle<JSArray> array = isolate_->factory()->NewJSArray( | 1182 Handle<JSArray> array = isolate_->factory()->NewJSArray( |
| 1174 FAST_HOLEY_ELEMENTS, length, length, INITIALIZE_ARRAY_ELEMENTS_WITH_HOLE, | 1183 FAST_HOLEY_ELEMENTS, length, length, INITIALIZE_ARRAY_ELEMENTS_WITH_HOLE, |
| 1175 pretenure_); | 1184 pretenure_); |
| 1176 AddObjectWithID(id, array); | 1185 AddObjectWithID(id, array); |
| 1177 | 1186 |
| 1178 Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate_); | 1187 Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate_); |
| 1179 for (uint32_t i = 0; i < length; i++) { | 1188 for (uint32_t i = 0; i < length; i++) { |
| (...skipping 544 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1724 if (stack.size() != 1) { | 1733 if (stack.size() != 1) { |
| 1725 isolate_->Throw(*isolate_->factory()->NewError( | 1734 isolate_->Throw(*isolate_->factory()->NewError( |
| 1726 MessageTemplate::kDataCloneDeserializationError)); | 1735 MessageTemplate::kDataCloneDeserializationError)); |
| 1727 return MaybeHandle<Object>(); | 1736 return MaybeHandle<Object>(); |
| 1728 } | 1737 } |
| 1729 return scope.CloseAndEscape(stack[0]); | 1738 return scope.CloseAndEscape(stack[0]); |
| 1730 } | 1739 } |
| 1731 | 1740 |
| 1732 } // namespace internal | 1741 } // namespace internal |
| 1733 } // namespace v8 | 1742 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2399873002:
ValueSerializer: Add more checks before trying to allocate memory for a dense array. (Closed)
