| Index: src/runtime.cc
|
| diff --git a/src/runtime.cc b/src/runtime.cc
|
| index 9e2236f8ce155d653586b0465546b8310f9b5b12..4c0d8a906b7891358eae55eb6086c7a22bc4373f 100644
|
| --- a/src/runtime.cc
|
| +++ b/src/runtime.cc
|
| @@ -2768,6 +2768,9 @@ RUNTIME_FUNCTION(Runtime_FinishArrayPrototypeSetup) {
|
| HandleScope scope(isolate);
|
| ASSERT(args.length() == 1);
|
| CONVERT_ARG_HANDLE_CHECKED(JSArray, prototype, 0);
|
| + Object* length = prototype->length();
|
| + RUNTIME_ASSERT(length->IsSmi() && Smi::cast(length)->value() == 0);
|
| + RUNTIME_ASSERT(prototype->HasFastSmiOrObjectElements());
|
| // This is necessary to enable fast checks for absence of elements
|
| // on Array.prototype and below.
|
| prototype->set_elements(isolate->heap()->empty_fixed_array());
|
| @@ -3091,6 +3094,7 @@ RUNTIME_FUNCTION(Runtime_SetCode) {
|
|
|
| Handle<SharedFunctionInfo> target_shared(target->shared());
|
| Handle<SharedFunctionInfo> source_shared(source->shared());
|
| + RUNTIME_ASSERT(!source_shared->bound());
|
|
|
| if (!Compiler::EnsureCompiled(source, KEEP_EXCEPTION)) {
|
| return isolate->heap()->exception();
|
| @@ -6326,6 +6330,7 @@ RUNTIME_FUNCTION(Runtime_TruncateString) {
|
| ASSERT(args.length() == 2);
|
| CONVERT_ARG_HANDLE_CHECKED(SeqString, string, 0);
|
| CONVERT_SMI_ARG_CHECKED(new_length, 1);
|
| + RUNTIME_ASSERT(new_length >= 0);
|
| return *SeqString::Truncate(string, new_length);
|
| }
|
|
|
| @@ -6771,6 +6776,7 @@ RUNTIME_FUNCTION(Runtime_StringSplit) {
|
| CONVERT_ARG_HANDLE_CHECKED(String, subject, 0);
|
| CONVERT_ARG_HANDLE_CHECKED(String, pattern, 1);
|
| CONVERT_NUMBER_CHECKED(uint32_t, limit, Uint32, args[2]);
|
| + RUNTIME_ASSERT(limit > 0);
|
|
|
| int subject_length = subject->length();
|
| int pattern_length = pattern->length();
|
| @@ -7204,7 +7210,6 @@ static inline int StringBuilderConcatLength(int special_length,
|
| *one_byte = false;
|
| }
|
| } else {
|
| - ASSERT(!elt->IsTheHole());
|
| return -1;
|
| }
|
| if (increment > String::kMaxLength - position) {
|
| @@ -7233,6 +7238,7 @@ RUNTIME_FUNCTION(Runtime_StringBuilderConcat) {
|
| // This assumption is used by the slice encoding in one or two smis.
|
| ASSERT(Smi::kMaxValue >= String::kMaxLength);
|
|
|
| + RUNTIME_ASSERT(array->HasFastElements());
|
| JSObject::EnsureCanContainHeapObjectElements(array);
|
|
|
| int special_length = special->length();
|
| @@ -8202,10 +8208,10 @@ RUNTIME_FUNCTION(Runtime_FunctionBindArguments) {
|
| GetCallerArguments(isolate, 0, &argc);
|
| // Don't count the this-arg.
|
| if (argc > 0) {
|
| - ASSERT(*arguments[0] == args[2]);
|
| + RUNTIME_ASSERT(*arguments[0] == args[2]);
|
| argc--;
|
| } else {
|
| - ASSERT(args[2]->IsUndefined());
|
| + RUNTIME_ASSERT(args[2]->IsUndefined());
|
| }
|
| // Initialize array of bindings (function, this, and any existing arguments
|
| // if the function was already bound).
|
| @@ -8214,6 +8220,7 @@ RUNTIME_FUNCTION(Runtime_FunctionBindArguments) {
|
| if (bindee->IsJSFunction() && JSFunction::cast(*bindee)->shared()->bound()) {
|
| Handle<FixedArray> old_bindings(
|
| JSFunction::cast(*bindee)->function_bindings());
|
| + RUNTIME_ASSERT(old_bindings->length() > JSFunction::kBoundFunctionIndex);
|
| new_bindings =
|
| isolate->factory()->NewFixedArray(old_bindings->length() + argc);
|
| bindee = Handle<Object>(old_bindings->get(JSFunction::kBoundFunctionIndex),
|
| @@ -8256,7 +8263,7 @@ RUNTIME_FUNCTION(Runtime_BoundFunctionGetBindings) {
|
| Handle<JSFunction> function = Handle<JSFunction>::cast(callable);
|
| if (function->shared()->bound()) {
|
| Handle<FixedArray> bindings(function->function_bindings());
|
| - ASSERT(bindings->map() == isolate->heap()->fixed_cow_array_map());
|
| + RUNTIME_ASSERT(bindings->map() == isolate->heap()->fixed_cow_array_map());
|
| return *isolate->factory()->NewJSArrayWithElements(bindings);
|
| }
|
| }
|
| @@ -8617,6 +8624,7 @@ RUNTIME_FUNCTION(Runtime_RunningInSimulator) {
|
|
|
| RUNTIME_FUNCTION(Runtime_IsConcurrentRecompilationSupported) {
|
| SealHandleScope shs(isolate);
|
| + ASSERT(args.length() == 0);
|
| return isolate->heap()->ToBoolean(
|
| isolate->concurrent_recompilation_enabled());
|
| }
|
| @@ -9662,6 +9670,7 @@ RUNTIME_FUNCTION(Runtime_DateParseString) {
|
| CONVERT_ARG_HANDLE_CHECKED(String, str, 0);
|
| CONVERT_ARG_HANDLE_CHECKED(JSArray, output, 1);
|
|
|
| + RUNTIME_ASSERT(output->HasFastElements());
|
| JSObject::EnsureCanContainHeapObjectElements(output);
|
| RUNTIME_ASSERT(output->HasFastObjectElements());
|
| Handle<FixedArray> output_array(FixedArray::cast(output->elements()));
|
| @@ -14541,12 +14550,15 @@ RUNTIME_FUNCTION(Runtime_LoadMutableDouble) {
|
| CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
|
| CONVERT_ARG_HANDLE_CHECKED(Smi, index, 1);
|
| int idx = index->value() >> 1;
|
| + int inobject_properties = object->map()->inobject_properties();
|
| if (idx < 0) {
|
| - idx = -idx + object->map()->inobject_properties() - 1;
|
| + idx = -idx + inobject_properties - 1;
|
| }
|
| + int max_idx = object->properties()->length() + inobject_properties;
|
| + RUNTIME_ASSERT(idx < max_idx);
|
| Handle<Object> raw_value(object->RawFastPropertyAt(idx), isolate);
|
| RUNTIME_ASSERT(raw_value->IsNumber() || raw_value->IsUninitialized());
|
| - return *JSObject::FastPropertyAt(object, Representation::Double(), idx);
|
| + return *Object::NewStorageFor(isolate, raw_value, Representation::Double());
|
| }
|
|
|
|
|
|
|
Chromium Code Reviews
Issue 256293002:
More runtime hardening (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge