[v8-dev] Fix off-by-one in Array.concat's max index check (issue 1278703003 by [email protected])

Thu, 06 Aug 2015 02:07:07 -0700 

Reviewers: Yang,

Description:
Fix off-by-one in Array.concat's max index check

The maximum valid index is strictly smaller than the maximum valid length.

BUG=chromium:516592
LOG=y
[email protected]

Please review this at https://codereview.chromium.org/1278703003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+19, -2 lines):
  M src/runtime/runtime-array.cc
  M test/mjsunit/regress/regress-581.js
  A test/mjsunit/regress/regress-crbug-516592.js


Index: src/runtime/runtime-array.cc
diff --git a/src/runtime/runtime-array.cc b/src/runtime/runtime-array.cc
index b5655db611a5ce34161d45990718872fa7f02916..4cbd5705779de160a6c4f3d16155ac2bb70df744 100644 
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -133,7 +133,7 @@ class ArrayConcatVisitor {
   ~ArrayConcatVisitor() { clear_storage(); }

   void visit(uint32_t i, Handle<Object> elm) {
-    if (i > JSObject::kMaxElementCount - index_offset_) {
+    if (i >= JSObject::kMaxElementCount - index_offset_) {
       set_exceeds_array_limit(true);
       return;
     }
Index: test/mjsunit/regress/regress-581.js
diff --git a/test/mjsunit/regress/regress-581.js b/test/mjsunit/regress/regress-581.js index ab345a9b61e0a8d78a79180b9a7c978f22babcab..1b40f580e2c64014592605d1acebca4f78d9d5d7 100644 
--- a/test/mjsunit/regress/regress-581.js
+++ b/test/mjsunit/regress/regress-581.js
@@ -36,7 +36,6 @@ assertThrows(function() { a.concat(a); }, RangeError);

 var b = [];
 b[pow31 - 3] = 32;
-b[pow31 - 2] = "out_of_bounds";
 var ab = a.concat(b);
 assertEquals(2 * pow31 - 1, ab.length);
 assertEquals(31, ab[pow31]);
Index: test/mjsunit/regress/regress-crbug-516592.js
diff --git a/test/mjsunit/regress/regress-crbug-516592.js b/test/mjsunit/regress/regress-crbug-516592.js 
new file mode 100644
index 0000000000000000000000000000000000000000..1887824a6caecbe35605d997493a586321b6101d 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-516592.js
@@ -0,0 +1,18 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var i = Math.pow(2, 31);
+var a = [];
+a[i] = 31;
+var b = [];
+b[i - 2] = 33;
+try {
+  // This is supposed to throw a RangeError.
+  var c = a.concat(b);
+  // If it didn't, ObservableSetLength will detect the problem.
+  Object.observe(c, function() {});
+  c.length = 1;
+} catch(e) {
+  assertTrue(e instanceof RangeError);
+}


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to