[v8-dev] Don't use length property when bounds checking atomics functions (issue 1227913006 by [email protected])

Fri, 10 Jul 2015 11:13:26 -0700 

Reviewers: jarin,

Description:
Don't use length property when bounds checking atomics functions
The length property can be monkey-patched, so use the native function instead. 

[email protected]
BUG=

Please review this at https://codereview.chromium.org/1227913006/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+24, -9 lines):
  M src/harmony-atomics.js
  M test/mjsunit/harmony/atomics.js


Index: src/harmony-atomics.js
diff --git a/src/harmony-atomics.js b/src/harmony-atomics.js
index aa81822d1e2f877f4de933f02d269b81775eea11..4ddf3b04f74273f43ce062c16c90728c7b77489d 100644 
--- a/src/harmony-atomics.js
+++ b/src/harmony-atomics.js
@@ -33,7 +33,7 @@ function CheckSharedIntegerTypedArray(ia) {
 function AtomicsCompareExchangeJS(sta, index, oldValue, newValue) {
   CheckSharedTypedArray(sta);
   index = $toInteger(index);
-  if (index < 0 || index >= sta.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(sta)) {
     return UNDEFINED;
   }
   return %_AtomicsCompareExchange(sta, index, oldValue, newValue);
@@ -42,7 +42,7 @@ function AtomicsCompareExchangeJS(sta, index, oldValue, newValue) { 
 function AtomicsLoadJS(sta, index) {
   CheckSharedTypedArray(sta);
   index = $toInteger(index);
-  if (index < 0 || index >= sta.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(sta)) {
     return UNDEFINED;
   }
   return %_AtomicsLoad(sta, index);
@@ -51,7 +51,7 @@ function AtomicsLoadJS(sta, index) {
 function AtomicsStoreJS(sta, index, value) {
   CheckSharedTypedArray(sta);
   index = $toInteger(index);
-  if (index < 0 || index >= sta.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(sta)) {
     return UNDEFINED;
   }
   return %_AtomicsStore(sta, index, value);
@@ -60,7 +60,7 @@ function AtomicsStoreJS(sta, index, value) {
 function AtomicsAddJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   return %_AtomicsAdd(ia, index, value);
@@ -69,7 +69,7 @@ function AtomicsAddJS(ia, index, value) {
 function AtomicsSubJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   return %_AtomicsSub(ia, index, value);
@@ -78,7 +78,7 @@ function AtomicsSubJS(ia, index, value) {
 function AtomicsAndJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   return %_AtomicsAnd(ia, index, value);
@@ -87,7 +87,7 @@ function AtomicsAndJS(ia, index, value) {
 function AtomicsOrJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   return %_AtomicsOr(ia, index, value);
@@ -96,7 +96,7 @@ function AtomicsOrJS(ia, index, value) {
 function AtomicsXorJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   return %_AtomicsXor(ia, index, value);
@@ -105,7 +105,7 @@ function AtomicsXorJS(ia, index, value) {
 function AtomicsExchangeJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   return %_AtomicsExchange(ia, index, value);
Index: test/mjsunit/harmony/atomics.js
diff --git a/test/mjsunit/harmony/atomics.js b/test/mjsunit/harmony/atomics.js index ff403b8bd1d47cc0b53d994220abc90025ec52f7..f59dffd1eea4656ff38dc24b48024aa52e501f7a 100644 
--- a/test/mjsunit/harmony/atomics.js
+++ b/test/mjsunit/harmony/atomics.js
@@ -123,6 +123,21 @@ function testAtomicOp(op, ia, index, expectedIndex, name) { 
     assertEquals(undefined, Atomics.xor(si32a, i, 0), name);
     assertEquals(undefined, Atomics.exchange(si32a, i, 0), name);
   });
+
+ // Monkey-patch length and make sure these functions still return undefined. + Object.defineProperty(si32a, 'length', {get: function() { return 1000; }}); 
+  [2, 100].forEach(function(i) {
+    var name = String(i);
+    assertEquals(undefined, Atomics.compareExchange(si32a, i, 0, 0), name);
+    assertEquals(undefined, Atomics.load(si32a, i), name);
+    assertEquals(undefined, Atomics.store(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.add(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.sub(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.and(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.or(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.xor(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.exchange(si32a, i, 0), name);
+  });
 })();

 (function TestGoodIndex() {


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to