[v8-dev] Fix missing exception check in typed array constructor. (issue 11777014)

Mon, 07 Jan 2013 05:19:56 -0800 

Reviewers: Toon Verwaest,

Description:
Fix missing exception check in typed array constructor.

The typed array constructor might fail if the first argument is an
object with a length property. Accessing the property can cause an
exception to be thrown and an explicit check needs to be performed.

[email protected]
BUG=chromium:168545
TEST=mjsunit/regress/regress-crbug-168545.js


Please review this at https://codereview.chromium.org/11777014/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/d8.cc
  A + test/mjsunit/regress/regress-crbug-168545.js


Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index 8233f861ea46c85dc344e83e61c4539a4fac5694..83e2fc50d5d43db6290b9e7808313d6806ebe97a 100644 
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -532,8 +532,9 @@ Handle<Value> Shell::CreateExternalArray(const Arguments& args, 
     if (args[0]->IsObject() &&
         args[0]->ToObject()->Has(Symbols::length(isolate))) {
       // Construct from array.
-      length = convertToUint(
-          args[0]->ToObject()->Get(Symbols::length(isolate)), &try_catch);
+ Local<Value> value = args[0]->ToObject()->Get(Symbols::length(isolate)); 
+      if (try_catch.HasCaught()) return try_catch.ReThrow();
+      length = convertToUint(value, &try_catch);
       if (try_catch.HasCaught()) return try_catch.ReThrow();
       init_from_array = true;
     } else {
Index: test/mjsunit/regress/regress-crbug-168545.js
diff --git a/test/mjsunit/regress/regress-2153.js b/test/mjsunit/regress/regress-crbug-168545.js 
similarity index 89%
copy from test/mjsunit/regress/regress-2153.js
copy to test/mjsunit/regress/regress-crbug-168545.js
index 3170042bedc6e80f9ca11436f7162c209eb8f799..1bc52fe9b0975b4f654c797da307c8f8ae40fef4 100644 
--- a/test/mjsunit/regress/regress-2153.js
+++ b/test/mjsunit/regress/regress-crbug-168545.js
@@ -1,4 +1,4 @@
-// Copyright 2012 the V8 project authors. All rights reserved.
+// Copyright 2013 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -26,7 +26,5 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 var o = {};
-o.__defineGetter__('foo', function () { return null; });
-var o = {};
-o.foo = 42;
-assertEquals(42, o.foo);
+Object.defineProperty(o, "length", { get: function() { throw "bail"; }});
+assertThrows("new Int16Array(o);");


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to