Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(577)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins/builtins-sharedarraybuffer.cc

Issue 2814753003: [SAB] Validate index before value conversion (Closed)
Patch Set: feedback Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | src/builtins/builtins-sharedarraybuffer-gen.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 the V8 project authors. All rights reserved. 1 // Copyright 2016 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/base/macros.h" 5 #include "src/base/macros.h"
6 #include "src/base/platform/mutex.h" 6 #include "src/base/platform/mutex.h"
7 #include "src/base/platform/time.h" 7 #include "src/base/platform/time.h"
8 #include "src/builtins/builtins-utils.h" 8 #include "src/builtins/builtins-utils.h"
9 #include "src/builtins/builtins.h" 9 #include "src/builtins/builtins.h"
10 #include "src/code-factory.h" 10 #include "src/code-factory.h"
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
56 : MessageTemplate::kNotIntegerSharedTypedArray, 56 : MessageTemplate::kNotIntegerSharedTypedArray,
57 object), 57 object),
58 JSTypedArray); 58 JSTypedArray);
59 } 59 }
60 60
61 // ES #sec-validateatomicaccess 61 // ES #sec-validateatomicaccess
62 // ValidateAtomicAccess( typedArray, requestIndex ) 62 // ValidateAtomicAccess( typedArray, requestIndex )
63 MUST_USE_RESULT Maybe<size_t> ValidateAtomicAccess( 63 MUST_USE_RESULT Maybe<size_t> ValidateAtomicAccess(
64 Isolate* isolate, Handle<JSTypedArray> typed_array, 64 Isolate* isolate, Handle<JSTypedArray> typed_array,
65 Handle<Object> request_index) { 65 Handle<Object> request_index) {
66 // TOOD(v8:5961): Use ToIndex for indexes 66 Handle<Object> access_index_obj;
67 ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, request_index, 67 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
68 Object::ToNumber(request_index), 68 isolate, access_index_obj,
69 Nothing<size_t>()); 69 Object::ToIndex(isolate, request_index,
70 Handle<Object> offset; 70 MessageTemplate::kInvalidAtomicAccessIndex),
71 ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, offset, 71 Nothing<size_t>());
72 Object::ToInteger(isolate, request_index), 72
73 Nothing<size_t>()); 73 size_t access_index = NumberToSize(*access_index_obj);
74 if (!request_index->SameValue(*offset)) { 74 if (access_index >= typed_array->length_value()) {
75 isolate->Throw(*isolate->factory()->NewRangeError( 75 isolate->Throw(*isolate->factory()->NewRangeError(
76 MessageTemplate::kInvalidAtomicAccessIndex)); 76 MessageTemplate::kInvalidAtomicAccessIndex));
77 return Nothing<size_t>(); 77 return Nothing<size_t>();
78 }
79 size_t access_index;
80 uint32_t length = typed_array->length_value();
81 if (!TryNumberToSize(*request_index, &access_index) ||
82 access_index >= length) {
83 isolate->Throw(*isolate->factory()->NewRangeError(
84 MessageTemplate::kInvalidAtomicAccessIndex));
85 return Nothing<size_t>();
86 } 78 }
87 return Just<size_t>(access_index); 79 return Just<size_t>(access_index);
88 } 80 }
89 81
90 // ES #sec-atomics.wake 82 // ES #sec-atomics.wake
91 // Atomics.wake( typedArray, index, count ) 83 // Atomics.wake( typedArray, index, count )
92 BUILTIN(AtomicsWake) { 84 BUILTIN(AtomicsWake) {
93 HandleScope scope(isolate); 85 HandleScope scope(isolate);
94 Handle<Object> array = args.atOrUndefined(isolate, 1); 86 Handle<Object> array = args.atOrUndefined(isolate, 1);
95 Handle<Object> index = args.atOrUndefined(isolate, 2); 87 Handle<Object> index = args.atOrUndefined(isolate, 2);
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
164 156
165 Handle<JSArrayBuffer> array_buffer = sta->GetBuffer(); 157 Handle<JSArrayBuffer> array_buffer = sta->GetBuffer();
166 size_t addr = (i << 2) + NumberToSize(sta->byte_offset()); 158 size_t addr = (i << 2) + NumberToSize(sta->byte_offset());
167 159
168 return FutexEmulation::Wait(isolate, array_buffer, addr, value_int32, 160 return FutexEmulation::Wait(isolate, array_buffer, addr, value_int32,
169 timeout_number); 161 timeout_number);
170 } 162 }
171 163
172 } // namespace internal 164 } // namespace internal
173 } // namespace v8 165 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | src/builtins/builtins-sharedarraybuffer-gen.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698