third_party/WebKit/Source/bindings/core/v8/V8Binding.h - Issue 2657173002: Disallow sequences with lengths exceeding max allocation supported.

Side by Side Diff: third_party/WebKit/Source/bindings/core/v8/V8Binding.h

Issue 2657173002: Disallow sequences with lengths exceeding max allocation supported. (Closed)

Patch Set: add expected output Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « third_party/WebKit/LayoutTests/fast/events/message-event-max-ports-expected.txt ('k') | third_party/WebKit/Source/platform/heap/HeapAllocator.h » ('j') | third_party/WebKit/Source/wtf/Vector.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2009 Google Inc. All rights reserved.	2 * Copyright (C) 2009 Google Inc. All rights reserved.

3 * Copyright (C) 2012 Ericsson AB. All rights reserved.	3 * Copyright (C) 2012 Ericsson AB. All rights reserved.

4 *	4 *

5 * Redistribution and use in source and binary forms, with or without	5 * Redistribution and use in source and binary forms, with or without

6 * modification, are permitted provided that the following conditions are	6 * modification, are permitted provided that the following conditions are

7 * met:	7 * met:

8 *	8 *

9 * * Redistributions of source code must retain the above copyright	9 * * Redistributions of source code must retain the above copyright

10 * notice, this list of conditions and the following disclaimer.	10 * notice, this list of conditions and the following disclaimer.

(...skipping 643 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
654 uint32_t length = 0;	654 uint32_t length = 0;

655 if (value->IsArray()) {	655 if (value->IsArray()) {

656 length = v8::Local<v8::Array>::Cast(v8Value)->Length();	656 length = v8::Local<v8::Array>::Cast(v8Value)->Length();

657 } else if (!toV8Sequence(value, length, isolate, exceptionState)) {	657 } else if (!toV8Sequence(value, length, isolate, exceptionState)) {

658 if (!exceptionState.hadException())	658 if (!exceptionState.hadException())

659 exceptionState.throwTypeError(	659 exceptionState.throwTypeError(

660 ExceptionMessages::notAnArrayTypeArgumentOrValue(argumentIndex));	660 ExceptionMessages::notAnArrayTypeArgumentOrValue(argumentIndex));

661 return HeapVector<Member<T>>();	661 return HeapVector<Member<T>>();

662 }	662 }

663	663

664 HeapVector<Member<T>> result;	664 using VectorType = HeapVector<Member<T>>;

	665 if (length > VectorType::maxCapacity()) {

	666 exceptionState.throwTypeError("Array length exceeds supported limit.");
	sof 2017/01/27 14:05:33 Throwing RangeError is an option, and would be con Throwing RangeError is an option, and would be consistent with what's done elsewhere. Justin Novosad 2017/01/30 23:10:48 +1 The ES6 considers 2^32-1 to be the supported li Show quoted text On 2017/01/27 14:05:33, sof wrote: > Throwing RangeError is an option, and would be consistent with what's done > elsewhere. +1 The ES6 considers 2^32-1 to be the supported limit for array lengths: http://www.ecma-international.org/ecma-262/6.0/#sec-array-len I think implementations that have a supported limit that is different from that should do that same thing as if the requested length were above 2^32-1, which is to throw a RangeError exception. sof 2017/01/31 21:01:43 Thanks, better use RangeError, so let's. I don't i Show quoted text On 2017/01/30 23:10:48, Justin Novosad wrote: > On 2017/01/27 14:05:33, sof wrote: > > Throwing RangeError is an option, and would be consistent with what's done > > elsewhere. > > +1 > The ES6 considers 2^32-1 to be the supported limit for array lengths: > http://www.ecma-international.org/ecma-262/6.0/#sec-array-len > I think implementations that have a supported limit that is different from that > should do that same thing as if the requested length were above 2^32-1, which is > to throw a RangeError exception. Thanks, better use RangeError, so let's. I don't it represents a limitation for real use in these particular cases.
	667 return VectorType();

	668 }

	669

	670 VectorType result;

665 result.reserveInitialCapacity(length);	671 result.reserveInitialCapacity(length);

666 v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);	672 v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);

667 v8::TryCatch block(isolate);	673 v8::TryCatch block(isolate);

668 for (uint32_t i = 0; i < length; ++i) {	674 for (uint32_t i = 0; i < length; ++i) {

669 v8::Local<v8::Value> element;	675 v8::Local<v8::Value> element;

670 if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {	676 if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {

671 exceptionState.rethrowV8Exception(block.Exception());	677 exceptionState.rethrowV8Exception(block.Exception());

672 return HeapVector<Member<T>>();	678 return VectorType();

673 }	679 }

674 if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {	680 if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {

675 v8::Local<v8::Object> elementObject =	681 v8::Local<v8::Object> elementObject =

676 v8::Local<v8::Object>::Cast(element);	682 v8::Local<v8::Object>::Cast(element);

677 result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));	683 result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));

678 } else {	684 } else {

679 exceptionState.throwTypeError("Invalid Array element type");	685 exceptionState.throwTypeError("Invalid Array element type");

680 return HeapVector<Member<T>>();	686 return VectorType();

681 }	687 }

682 }	688 }

683 return result;	689 return result;

684 }	690 }

685	691

686 template <typename T>	692 template <typename T>

687 HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,	693 HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,

688 const String& propertyName,	694 const String& propertyName,

689 v8::Isolate* isolate,	695 v8::Isolate* isolate,

690 ExceptionState& exceptionState) {	696 ExceptionState& exceptionState) {

691 v8::Local<v8::Value> v8Value(v8::Local<v8::Value>::New(isolate, value));	697 v8::Local<v8::Value> v8Value(v8::Local<v8::Value>::New(isolate, value));

692 uint32_t length = 0;	698 uint32_t length = 0;

693 if (value->IsArray()) {	699 if (value->IsArray()) {

694 length = v8::Local<v8::Array>::Cast(v8Value)->Length();	700 length = v8::Local<v8::Array>::Cast(v8Value)->Length();

695 } else if (!toV8Sequence(value, length, isolate, exceptionState)) {	701 } else if (!toV8Sequence(value, length, isolate, exceptionState)) {

696 if (!exceptionState.hadException())	702 if (!exceptionState.hadException())

697 exceptionState.throwTypeError(	703 exceptionState.throwTypeError(

698 ExceptionMessages::notASequenceTypeProperty(propertyName));	704 ExceptionMessages::notASequenceTypeProperty(propertyName));

699 return HeapVector<Member<T>>();	705 return HeapVector<Member<T>>();

700 }	706 }

701	707

702 HeapVector<Member<T>> result;	708 using VectorType = HeapVector<Member<T>>;

	709 if (length > VectorType::maxCapacity()) {

	710 exceptionState.throwTypeError("Array length exceeds supported limit.");

	711 return VectorType();

	712 }

	713

	714 VectorType result;

703 result.reserveInitialCapacity(length);	715 result.reserveInitialCapacity(length);

704 v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);	716 v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);

705 v8::TryCatch block(isolate);	717 v8::TryCatch block(isolate);

706 for (uint32_t i = 0; i < length; ++i) {	718 for (uint32_t i = 0; i < length; ++i) {

707 v8::Local<v8::Value> element;	719 v8::Local<v8::Value> element;

708 if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {	720 if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {

709 exceptionState.rethrowV8Exception(block.Exception());	721 exceptionState.rethrowV8Exception(block.Exception());

710 return HeapVector<Member<T>>();	722 return VectorType();

711 }	723 }

712 if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {	724 if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {

713 v8::Local<v8::Object> elementObject =	725 v8::Local<v8::Object> elementObject =

714 v8::Local<v8::Object>::Cast(element);	726 v8::Local<v8::Object>::Cast(element);

715 result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));	727 result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));

716 } else {	728 } else {

717 exceptionState.throwTypeError("Invalid Array element type");	729 exceptionState.throwTypeError("Invalid Array element type");

718 return HeapVector<Member<T>>();	730 return VectorType();

719 }	731 }

720 }	732 }

721 return result;	733 return result;

722 }	734 }

723	735

724 // Converts a JavaScript value to an array as per the Web IDL specification:	736 // Converts a JavaScript value to an array as per the Web IDL specification:

725 // http://www.w3.org/TR/2012/CR-WebIDL-20120419/#es-array	737 // http://www.w3.org/TR/2012/CR-WebIDL-20120419/#es-array

726 template <typename VectorType>	738 template <typename VectorType>

727 VectorType toImplArray(v8::Local<v8::Value> value,	739 VectorType toImplArray(v8::Local<v8::Value> value,

728 int argumentIndex,	740 int argumentIndex,

729 v8::Isolate* isolate,	741 v8::Isolate* isolate,

730 ExceptionState& exceptionState) {	742 ExceptionState& exceptionState) {

731 typedef typename VectorType::ValueType ValueType;	743 typedef typename VectorType::ValueType ValueType;

732 typedef NativeValueTraits<ValueType> TraitsType;	744 typedef NativeValueTraits<ValueType> TraitsType;

733	745

734 uint32_t length = 0;	746 uint32_t length = 0;

735 if (value->IsArray()) {	747 if (value->IsArray()) {

736 length = v8::Local<v8::Array>::Cast(value)->Length();	748 length = v8::Local<v8::Array>::Cast(value)->Length();

737 } else if (!toV8Sequence(value, length, isolate, exceptionState)) {	749 } else if (!toV8Sequence(value, length, isolate, exceptionState)) {

738 if (!exceptionState.hadException())	750 if (!exceptionState.hadException())

739 exceptionState.throwTypeError(	751 exceptionState.throwTypeError(

740 ExceptionMessages::notAnArrayTypeArgumentOrValue(argumentIndex));	752 ExceptionMessages::notAnArrayTypeArgumentOrValue(argumentIndex));

741 return VectorType();	753 return VectorType();

742 }	754 }

743	755

744 if (length > WTF::kGenericMaxDirectMapped / sizeof(ValueType)) {	756 if (length > VectorType::maxCapacity()) {

745 exceptionState.throwTypeError("Array length exceeds supported limit.");	757 exceptionState.throwTypeError("Array length exceeds supported limit.");

746 return VectorType();	758 return VectorType();

747 }	759 }

748	760

749 VectorType result;	761 VectorType result;

750 result.reserveInitialCapacity(length);	762 result.reserveInitialCapacity(length);

751 v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(value);	763 v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(value);

752 v8::TryCatch block(isolate);	764 v8::TryCatch block(isolate);

753 for (uint32_t i = 0; i < length; ++i) {	765 for (uint32_t i = 0; i < length; ++i) {

754 v8::Local<v8::Value> element;	766 v8::Local<v8::Value> element;

755 if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {	767 if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {

756 exceptionState.rethrowV8Exception(block.Exception());	768 exceptionState.rethrowV8Exception(block.Exception());

757 return VectorType();	769 return VectorType();

758 }	770 }

759 result.uncheckedAppend(	771 result.uncheckedAppend(

760 TraitsType::nativeValue(isolate, element, exceptionState));	772 TraitsType::nativeValue(isolate, element, exceptionState));

761 if (exceptionState.hadException())	773 if (exceptionState.hadException())

762 return VectorType();	774 return VectorType();

763 }	775 }

764 return result;	776 return result;

765 }	777 }

766	778

767 template <typename VectorType>	779 template <typename VectorType>

768 VectorType toImplArray(const Vector<ScriptValue>& value,	780 VectorType toImplArray(const Vector<ScriptValue>& value,

769 v8::Isolate* isolate,	781 v8::Isolate* isolate,

770 ExceptionState& exceptionState) {	782 ExceptionState& exceptionState) {

	783 using ValueType = typename VectorType::ValueType;

	784 using TraitsType = NativeValueTraits<ValueType>;

	785

	786 if (value.size() > VectorType::maxCapacity()) {

	787 exceptionState.throwTypeError("Array length exceeds supported limit.");

	788 return VectorType();

	789 }

	790

771 VectorType result;	791 VectorType result;

772 typedef typename VectorType::ValueType ValueType;

773 typedef NativeValueTraits<ValueType> TraitsType;

774 result.reserveInitialCapacity(value.size());	792 result.reserveInitialCapacity(value.size());

775 for (unsigned i = 0; i < value.size(); ++i) {	793 for (unsigned i = 0; i < value.size(); ++i) {

776 result.uncheckedAppend(	794 result.uncheckedAppend(

777 TraitsType::nativeValue(isolate, value[i].v8Value(), exceptionState));	795 TraitsType::nativeValue(isolate, value[i].v8Value(), exceptionState));

778 if (exceptionState.hadException())	796 if (exceptionState.hadException())

779 return VectorType();	797 return VectorType();

780 }	798 }

781 return result;	799 return result;

782 }	800 }

783	801

784 template <typename VectorType>	802 template <typename VectorType>

785 VectorType toImplArguments(const v8::FunctionCallbackInfo<v8::Value>& info,	803 VectorType toImplArguments(const v8::FunctionCallbackInfo<v8::Value>& info,

786 int startIndex,	804 int startIndex,

787 ExceptionState& exceptionState) {	805 ExceptionState& exceptionState) {

	806 using ValueType = typename VectorType::ValueType;

	807 using TraitsType = NativeValueTraits<ValueType>;

	808

	809 int length = info.Length();

788 VectorType result;	810 VectorType result;

789 typedef typename VectorType::ValueType ValueType;

790 typedef NativeValueTraits<ValueType> TraitsType;

791 int length = info.Length();

792 if (startIndex < length) {	811 if (startIndex < length) {

	812 if (static_cast<size_t>(length - startIndex) > VectorType::maxCapacity()) {

	813 exceptionState.throwTypeError("Array length exceeds supported limit.");

	814 return VectorType();

	815 }

793 result.reserveInitialCapacity(length - startIndex);	816 result.reserveInitialCapacity(length - startIndex);

794 for (int i = startIndex; i < length; ++i) {	817 for (int i = startIndex; i < length; ++i) {

795 result.uncheckedAppend(	818 result.uncheckedAppend(

796 TraitsType::nativeValue(info.GetIsolate(), info[i], exceptionState));	819 TraitsType::nativeValue(info.GetIsolate(), info[i], exceptionState));

797 if (exceptionState.hadException())	820 if (exceptionState.hadException())

798 return VectorType();	821 return VectorType();

799 }	822 }

800 }	823 }

801 return result;	824 return result;

802 }	825 }

(...skipping 335 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1138 // If the argument isn't an object, this will crash.	1161 // If the argument isn't an object, this will crash.

1139 CORE_EXPORT v8::Local<v8::Value> freezeV8Object(v8::Local<v8::Value>,	1162 CORE_EXPORT v8::Local<v8::Value> freezeV8Object(v8::Local<v8::Value>,

1140 v8::Isolate*);	1163 v8::Isolate*);

1141	1164

1142 CORE_EXPORT v8::Local<v8::Value> fromJSONString(v8::Isolate*,	1165 CORE_EXPORT v8::Local<v8::Value> fromJSONString(v8::Isolate*,

1143 const String& stringifiedJSON,	1166 const String& stringifiedJSON,

1144 ExceptionState&);	1167 ExceptionState&);

1145 } // namespace blink	1168 } // namespace blink

1146	1169

1147 #endif // V8Binding_h	1170 #endif // V8Binding_h

OLD	NEW