[v8-dev] [v8] r14154 committed - Fix Array.prototype.concat when exceeding array size limit....

Fri, 05 Apr 2013 08:13:23 -0700 

Revision: 14154
Author:   yang...@chromium.org
Date:     Fri Apr  5 08:12:59 2013
Log:      Fix Array.prototype.concat when exceeding array size limit.

R=verwa...@chromium.org
BUG=v8:581

Review URL: https://chromiumcodereview.appspot.com/13465008
http://code.google.com/p/v8/source/detail?r=14154

Added:
 /branches/bleeding_edge/test/mjsunit/regress/regress-581.js
Modified:
 /branches/bleeding_edge/src/runtime.cc

=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-581.js Fri Apr 5 08:12:59 2013 
@@ -0,0 +1,46 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+var pow30 = Math.pow(2, 30);
+var pow31 = Math.pow(2, 31);
+
+var a = [];
+a[pow31] = 31;
+
+assertEquals(pow31 + 1, a.length);
+assertThrows(function() { a.concat(a); }, RangeError);
+
+var b = [];
+b[pow31 - 2] = 32;
+var ab = a.concat(b);
+assertEquals(2 * pow31 - 1, ab.length);
+assertEquals(31, ab[pow31]);
+assertEquals(32, ab[2 * pow31 - 1]);
+
+var c = [];
+c[pow30] = 30;
+assertThrows(function() { c.concat(c, a); }, RangeError);
=======================================
--- /branches/bleeding_edge/src/runtime.cc      Fri Apr  5 06:01:06 2013
+++ /branches/bleeding_edge/src/runtime.cc      Fri Apr  5 08:12:59 2013
@@ -8862,14 +8862,18 @@
       storage_(Handle<FixedArray>::cast(
           isolate->global_handles()->Create(*storage))),
       index_offset_(0u),
-      fast_elements_(fast_elements) { }
+      fast_elements_(fast_elements),
+      exceeds_array_limit_(false) { }

   ~ArrayConcatVisitor() {
     clear_storage();
   }

   void visit(uint32_t i, Handle<Object> elm) {
-    if (i >= JSObject::kMaxElementCount - index_offset_) return;
+    if (i > JSObject::kMaxElementCount - index_offset_) {
+      exceeds_array_limit_ = true;
+      return;
+    }
     uint32_t index = index_offset_ + i;

     if (fast_elements_) {
@@ -8903,6 +8907,10 @@
       index_offset_ += delta;
     }
   }
+
+  bool exceeds_array_limit() {
+    return exceeds_array_limit_;
+  }

   Handle<JSArray> ToArray() {
     Handle<JSArray> array = isolate_->factory()->NewJSArray(0);
@@ -8962,7 +8970,8 @@
   // Index after last seen index. Always less than or equal to
   // JSObject::kMaxElementCount.
   uint32_t index_offset_;
-  bool fast_elements_;
+  bool fast_elements_ : 1;
+  bool exceeds_array_limit_ : 1;
 };


@@ -9518,6 +9527,11 @@
     }
   }

+  if (visitor.exceeds_array_limit()) {
+    return isolate->Throw(
+        *isolate->factory()->NewRangeError("invalid_array_length",
+                                           HandleVector<Object>(NULL, 0)));
+  }
   return *visitor.ToArray();
 }

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to