Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(212)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/runtime.cc

Issue 270273005: Harden yet more runtime functions (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: fixed nits Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/liveedit.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index b82d377f71fda4040cdcb5784c0f14744a64f42b..743b34b534639a31917e1097ee27558605696b25 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -978,6 +978,8 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitialize) {
&fixed_elements_kind,
&element_size);
+ RUNTIME_ASSERT(holder->map()->elements_kind() == fixed_elements_kind);
+
size_t byte_offset = 0;
size_t byte_length = 0;
RUNTIME_ASSERT(TryNumberToSize(isolate, *byte_offset_object, &byte_offset));
@@ -986,7 +988,7 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitialize) {
holder->set_byte_offset(*byte_offset_object);
holder->set_byte_length(*byte_length_object);
- CHECK_EQ(0, static_cast<int>(byte_length % element_size));
+ RUNTIME_ASSERT(byte_length % element_size == 0);
size_t length = byte_length / element_size;
if (length > static_cast<unsigned>(Smi::kMaxValue)) {
@@ -1062,6 +1064,8 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitializeFromArrayLike) {
&fixed_elements_kind,
&element_size);
+ RUNTIME_ASSERT(holder->map()->elements_kind() == fixed_elements_kind);
+
Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
if (source->IsJSTypedArray() &&
JSTypedArray::cast(*source)->type() == array_type) {
@@ -1739,6 +1743,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionGet) {
CONVERT_ARG_HANDLE_CHECKED(Object, key, 1);
Handle<ObjectHashTable> table(
ObjectHashTable::cast(weak_collection->table()));
+ RUNTIME_ASSERT(table->IsKey(*key));
Handle<Object> lookup(table->Lookup(key), isolate);
return lookup->IsTheHole() ? isolate->heap()->undefined_value() : *lookup;
}
@@ -1751,6 +1756,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionHas) {
CONVERT_ARG_HANDLE_CHECKED(Object, key, 1);
Handle<ObjectHashTable> table(
ObjectHashTable::cast(weak_collection->table()));
+ RUNTIME_ASSERT(table->IsKey(*key));
Handle<Object> lookup(table->Lookup(key), isolate);
return isolate->heap()->ToBoolean(!lookup->IsTheHole());
}
@@ -1763,6 +1769,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionDelete) {
CONVERT_ARG_HANDLE_CHECKED(Object, key, 1);
Handle<ObjectHashTable> table(ObjectHashTable::cast(
weak_collection->table()));
+ RUNTIME_ASSERT(table->IsKey(*key));
Handle<Object> lookup(table->Lookup(key), isolate);
Handle<ObjectHashTable> new_table =
ObjectHashTable::Put(table, key, isolate->factory()->the_hole_value());
@@ -1779,6 +1786,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionSet) {
CONVERT_ARG_HANDLE_CHECKED(Object, value, 2);
Handle<ObjectHashTable> table(
ObjectHashTable::cast(weak_collection->table()));
+ RUNTIME_ASSERT(table->IsKey(*key));
Handle<ObjectHashTable> new_table = ObjectHashTable::Put(table, key, value);
weak_collection->set_table(*new_table);
return isolate->heap()->undefined_value();
@@ -4305,6 +4313,7 @@ RUNTIME_FUNCTION(Runtime_StringReplaceGlobalRegExpWithString) {
CONVERT_ARG_HANDLE_CHECKED(JSArray, last_match_info, 3);
RUNTIME_ASSERT(regexp->GetFlags().is_global());
+ RUNTIME_ASSERT(last_match_info->HasFastObjectElements());
subject = String::Flatten(subject);
@@ -4735,12 +4744,11 @@ static Object* SearchRegExpMultiple(
RegExpImpl::GlobalCache global_cache(regexp, subject, true, isolate);
if (global_cache.HasException()) return isolate->heap()->exception();
- Handle<FixedArray> result_elements;
- if (result_array->HasFastObjectElements()) {
- result_elements =
- Handle<FixedArray>(FixedArray::cast(result_array->elements()));
- }
- if (result_elements.is_null() || result_elements->length() < 16) {
+ // Ensured in Runtime_RegExpExecMultiple.
+ ASSERT(result_array->HasFastObjectElements());
+ Handle<FixedArray> result_elements(
+ FixedArray::cast(result_array->elements()));
+ if (result_elements->length() < 16) {
result_elements = isolate->factory()->NewFixedArrayWithHoles(16);
}
@@ -4854,9 +4862,11 @@ RUNTIME_FUNCTION(Runtime_RegExpExecMultiple) {
CONVERT_ARG_HANDLE_CHECKED(JSRegExp, regexp, 0);
CONVERT_ARG_HANDLE_CHECKED(JSArray, last_match_info, 2);
CONVERT_ARG_HANDLE_CHECKED(JSArray, result_array, 3);
+ RUNTIME_ASSERT(last_match_info->HasFastObjectElements());
+ RUNTIME_ASSERT(result_array->HasFastObjectElements());
subject = String::Flatten(subject);
- ASSERT(regexp->GetFlags().is_global());
+ RUNTIME_ASSERT(regexp->GetFlags().is_global());
if (regexp->CaptureCount() == 0) {
return SearchRegExpMultiple<false>(
@@ -5504,6 +5514,7 @@ RUNTIME_FUNCTION(Runtime_SetHiddenProperty) {
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
CONVERT_ARG_HANDLE_CHECKED(String, key, 1);
CONVERT_ARG_HANDLE_CHECKED(Object, value, 2);
+ RUNTIME_ASSERT(key->IsUniqueName());
return *JSObject::SetHiddenProperty(object, key, value);
}
@@ -7338,6 +7349,7 @@ RUNTIME_FUNCTION(Runtime_StringBuilderJoin) {
CONVERT_SMI_ARG_CHECKED(array_length, 1);
CONVERT_ARG_HANDLE_CHECKED(String, separator, 2);
RUNTIME_ASSERT(array->HasFastObjectElements());
+ RUNTIME_ASSERT(array_length >= 0);
Handle<FixedArray> fixed_array(FixedArray::cast(array->elements()));
if (fixed_array->length() < array_length) {
@@ -7385,17 +7397,19 @@ RUNTIME_FUNCTION(Runtime_StringBuilderJoin) {
uc16* end = sink + length;
#endif
+ RUNTIME_ASSERT(fixed_array->get(0)->IsString());
String* first = String::cast(fixed_array->get(0));
- String* seperator_raw = *separator;
+ String* separator_raw = *separator;
int first_length = first->length();
String::WriteToFlat(first, sink, 0, first_length);
sink += first_length;
for (int i = 1; i < array_length; i++) {
ASSERT(sink + separator_length <= end);
- String::WriteToFlat(seperator_raw, sink, 0, separator_length);
+ String::WriteToFlat(separator_raw, sink, 0, separator_length);
sink += separator_length;
+ RUNTIME_ASSERT(fixed_array->get(i)->IsString());
String* element = String::cast(fixed_array->get(i));
int element_length = element->length();
ASSERT(sink + element_length <= end);
@@ -7474,6 +7488,8 @@ RUNTIME_FUNCTION(Runtime_SparseJoinWithSeparator) {
FixedArray* elements = FixedArray::cast(elements_array->elements());
for (int i = 0; i < elements_length; i += 2) {
RUNTIME_ASSERT(elements->get(i)->IsNumber());
+ CONVERT_NUMBER_CHECKED(uint32_t, position, Uint32, elements->get(i));
+ RUNTIME_ASSERT(position < array_length);
RUNTIME_ASSERT(elements->get(i + 1)->IsString());
}
@@ -9752,6 +9768,8 @@ RUNTIME_FUNCTION(Runtime_DateLocalTimezone) {
ASSERT(args.length() == 1);
CONVERT_DOUBLE_ARG_CHECKED(x, 0);
+ RUNTIME_ASSERT(x >= -DateCache::kMaxTimeBeforeUTCInMs &&
+ x <= DateCache::kMaxTimeBeforeUTCInMs);
const char* zone =
isolate->date_cache()->LocalTimezone(static_cast<int64_t>(x));
Handle<String> result = isolate->factory()->NewStringFromUtf8(
@@ -9765,6 +9783,8 @@ RUNTIME_FUNCTION(Runtime_DateToUTC) {
ASSERT(args.length() == 1);
CONVERT_DOUBLE_ARG_CHECKED(x, 0);
+ RUNTIME_ASSERT(x >= -DateCache::kMaxTimeBeforeUTCInMs &&
+ x <= DateCache::kMaxTimeBeforeUTCInMs);
int64_t time = isolate->date_cache()->ToUTC(static_cast<int64_t>(x));
return *isolate->factory()->NewNumber(static_cast<double>(time));
@@ -10356,6 +10376,10 @@ static bool IterateElements(Isolate* isolate,
if (length == 0) break;
// Run through the elements FixedArray and use HasElement and GetElement
// to check the prototype for missing elements.
+ if (receiver->elements()->IsFixedArray()) {
+ ASSERT(receiver->elements()->length() == 0);
+ break;
+ }
Handle<FixedDoubleArray> elements(
FixedDoubleArray::cast(receiver->elements()));
int fast_length = static_cast<int>(length);
@@ -10706,15 +10730,13 @@ RUNTIME_FUNCTION(Runtime_MoveArrayContents) {
RUNTIME_FUNCTION(Runtime_EstimateNumberOfElements) {
SealHandleScope shs(isolate);
ASSERT(args.length() == 1);
- CONVERT_ARG_CHECKED(JSObject, object, 0);
+ CONVERT_ARG_CHECKED(JSArray, object, 0);
HeapObject* elements = object->elements();
if (elements->IsDictionary()) {
int result = SeededNumberDictionary::cast(elements)->NumberOfElements();
return Smi::FromInt(result);
- } else if (object->IsJSArray()) {
- return JSArray::cast(object)->length();
} else {
- return Smi::FromInt(FixedArray::cast(elements)->length());
+ return object->length();
}
}
@@ -10755,8 +10777,8 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
}
return *isolate->factory()->NewJSArrayWithElements(keys);
} else {
- ASSERT(array->HasFastSmiOrObjectElements() ||
- array->HasFastDoubleElements());
+ RUNTIME_ASSERT(array->HasFastSmiOrObjectElements() ||
+ array->HasFastDoubleElements());
uint32_t actual_length = static_cast<uint32_t>(array->elements()->length());
return *isolate->factory()->NewNumberFromUint(Min(actual_length, length));
}
@@ -10859,8 +10881,8 @@ static Handle<Object> DebugLookupResultValue(Isolate* isolate,
break;
}
case INTERCEPTOR:
- break;
case HANDLER:
+ break;
case NONEXISTENT:
UNREACHABLE();
break;
@@ -12697,12 +12719,13 @@ RUNTIME_FUNCTION(Runtime_SetFunctionBreakPoint) {
ASSERT(args.length() == 3);
CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
CONVERT_NUMBER_CHECKED(int32_t, source_position, Int32, args[1]);
- RUNTIME_ASSERT(source_position >= 0);
+ RUNTIME_ASSERT(source_position >= function->shared()->start_position() &&
+ source_position <= function->shared()->end_position());
CONVERT_ARG_HANDLE_CHECKED(Object, break_point_object_arg, 2);
// Set break point.
- isolate->debug()->SetBreakPoint(function, break_point_object_arg,
- &source_position);
+ RUNTIME_ASSERT(isolate->debug()->SetBreakPoint(
+ function, break_point_object_arg, &source_position));
return Smi::FromInt(source_position);
}
@@ -13504,7 +13527,7 @@ RUNTIME_FUNCTION(Runtime_LiveEditFunctionSetScript) {
Script* script = Script::cast(JSValue::cast(*script_object)->value());
script_object = Handle<Object>(script, isolate);
}
-
+ RUNTIME_ASSERT(function_wrapper->value()->IsSharedFunctionInfo());
LiveEdit::SetFunctionScript(function_wrapper, script_object);
} else {
// Just ignore this. We may not have a SharedFunctionInfo for some functions
« no previous file with comments | « src/liveedit.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698