Index: src/runtime/runtime-function.cc |
diff --git a/src/runtime/runtime-function.cc b/src/runtime/runtime-function.cc |
index 5d49b2368153701eb833a61de309a57f685a9b54..5172bb64e556867c4206d42a782cc88c32da5fbc 100644 |
--- a/src/runtime/runtime-function.cc |
+++ b/src/runtime/runtime-function.cc |
@@ -575,12 +575,29 @@ RUNTIME_FUNCTION(Runtime_Call) { |
RUNTIME_FUNCTION(Runtime_Apply) { |
HandleScope scope(isolate); |
- DCHECK(args.length() == 5); |
- CONVERT_ARG_HANDLE_CHECKED(JSReceiver, fun, 0); |
+ DCHECK(args.length() == 5 || args.length() == 3); |
arv (Not doing code reviews)
2015/02/23 17:55:56
I think it would be cleaner to have to functions.
rossberg
2015/02/24 16:22:47
+1
caitp (gmail)
2015/02/25 00:00:24
done
|
+ CONVERT_ARG_HANDLE_CHECKED(Object, fun, 0); |
CONVERT_ARG_HANDLE_CHECKED(Object, receiver, 1); |
CONVERT_ARG_HANDLE_CHECKED(JSObject, arguments, 2); |
- CONVERT_INT32_ARG_CHECKED(offset, 3); |
- CONVERT_INT32_ARG_CHECKED(argc, 4); |
+ |
+ int32_t offset = 0; |
+ int32_t argc = 0; |
+ |
+ if (args.length() == 5) { |
+ RUNTIME_ASSERT(args[3]->IsNumber()); |
+ RUNTIME_ASSERT(args[3]->ToInt32(&offset)); |
+ RUNTIME_ASSERT(args[4]->IsNumber()); |
+ RUNTIME_ASSERT(args[4]->ToInt32(&argc)); |
+ } else { |
+ RUNTIME_ASSERT(arguments->IsJSArray()); |
+ RUNTIME_ASSERT(Handle<JSArray>::cast(arguments)->length()->ToInt32(&argc)); |
+ } |
+ |
+ if (!fun->IsJSFunction()) { |
+ ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
+ isolate, fun, Execution::TryGetFunctionDelegate(isolate, fun)); |
+ } |
+ |
RUNTIME_ASSERT(offset >= 0); |
// Loose upper bound to allow fuzzing. We'll most likely run out of |
// stack space before hitting this limit. |
@@ -611,6 +628,59 @@ RUNTIME_FUNCTION(Runtime_Apply) { |
} |
+RUNTIME_FUNCTION(Runtime_ApplyConstruct) { |
+ HandleScope scope(isolate); |
+ DCHECK(args.length() == 4 || args.length() == 2); |
+ CONVERT_ARG_HANDLE_CHECKED(Object, fun, 0); |
+ CONVERT_ARG_HANDLE_CHECKED(JSObject, arguments, 1); |
+ int32_t offset = 0; |
+ int32_t argc = 0; |
+ |
+ |
+ if (args.length() == 4) { |
+ RUNTIME_ASSERT(args[2]->IsNumber()); |
+ RUNTIME_ASSERT(args[2]->ToInt32(&offset)); |
+ RUNTIME_ASSERT(args[3]->IsNumber()); |
+ RUNTIME_ASSERT(args[3]->ToInt32(&argc)); |
+ } else { |
+ RUNTIME_ASSERT(arguments->IsJSArray()); |
+ RUNTIME_ASSERT(Handle<JSArray>::cast(arguments)->length()->ToInt32(&argc)); |
+ } |
+ |
+ if (!fun->IsJSFunction()) { |
+ ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
+ isolate, fun, Execution::TryGetConstructorDelegate(isolate, fun)); |
+ } |
+ |
+ RUNTIME_ASSERT(offset >= 0); |
+ // Loose upper bound to allow fuzzing. We'll most likely run out of |
+ // stack space before hitting this limit. |
+ static int kMaxArgc = 1000000; |
+ RUNTIME_ASSERT(argc >= 0 && argc <= kMaxArgc); |
+ |
+ // If there are too many arguments, allocate argv via malloc. |
+ const int argv_small_size = 10; |
+ Handle<Object> argv_small_buffer[argv_small_size]; |
+ SmartArrayPointer<Handle<Object> > argv_large_buffer; |
+ Handle<Object>* argv = argv_small_buffer; |
+ if (argc > argv_small_size) { |
+ argv = new Handle<Object>[argc]; |
+ if (argv == NULL) return isolate->StackOverflow(); |
+ argv_large_buffer = SmartArrayPointer<Handle<Object> >(argv); |
+ } |
+ |
+ for (int i = 0; i < argc; ++i) { |
+ ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
+ isolate, argv[i], Object::GetElement(isolate, arguments, offset + i)); |
+ } |
+ |
+ Handle<Object> result; |
+ ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, |
+ Execution::New(fun, argc, argv)); |
+ return *result; |
+} |
+ |
+ |
RUNTIME_FUNCTION(Runtime_GetFunctionDelegate) { |
HandleScope scope(isolate); |
DCHECK(args.length() == 1); |