Reviewers: Jakob,
Message:
PTAL.
Description:
Fix data view accessors to throw execptions on offsets bigger than size_t.
[email protected]
BUG=v8:3013
Please review this at https://codereview.chromium.org/74583003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+43, -10 lines):
M src/runtime.cc
M src/v8conversions.h
M test/mjsunit/harmony/dataview-accessors.js
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
80b68279468fba09989f34c62ebf5a2e07175b07..2865681ccbead4ea276aa273e64379f1c28e47e9
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -1204,7 +1204,10 @@ inline static bool DataViewGetValue(
Handle<Object> byte_offset_obj,
bool is_little_endian,
T* result) {
- size_t byte_offset = NumberToSize(isolate, *byte_offset_obj);
+ size_t byte_offset = 0;
+ if (!TryNumberToSize(isolate, *byte_offset_obj, &byte_offset)) {
+ return false;
+ }
Handle<JSArrayBuffer> buffer(JSArrayBuffer::cast(data_view->buffer()));
size_t data_view_byte_offset =
@@ -1245,7 +1248,10 @@ static bool DataViewSetValue(
Handle<Object> byte_offset_obj,
bool is_little_endian,
T data) {
- size_t byte_offset = NumberToSize(isolate, *byte_offset_obj);
+ size_t byte_offset = 0;
+ if (!TryNumberToSize(isolate, *byte_offset_obj, &byte_offset)) {
+ return false;
+ }
Handle<JSArrayBuffer> buffer(JSArrayBuffer::cast(data_view->buffer()));
size_t data_view_byte_offset =
Index: src/v8conversions.h
diff --git a/src/v8conversions.h b/src/v8conversions.h
index
b1d96b4b8a9ab4d87a2c3b78948c2e0c0245eb30..17c05065180996b6a51a478daf3d14c0e4dcdd2b
100644
--- a/src/v8conversions.h
+++ b/src/v8conversions.h
@@ -55,24 +55,39 @@ double StringToDouble(UnicodeCache* unicode_cache,
// Converts a string into an integer.
double StringToInt(UnicodeCache* unicode_cache, String* str, int radix);
-// Converts a number into size_t.
-inline size_t NumberToSize(Isolate* isolate,
- Object* number) {
+inline bool TryNumberToSize(Isolate* isolate,
+ Object* number, size_t* result) {
SealHandleScope shs(isolate);
if (number->IsSmi()) {
int value = Smi::cast(number)->value();
- CHECK_GE(value, 0);
ASSERT(Smi::kMaxValue <= std::numeric_limits<size_t>::max());
- return static_cast<size_t>(value);
+ if (value >= 0) {
+ *result = static_cast<size_t>(value);
+ return true;
+ }
+ return false;
} else {
ASSERT(number->IsHeapNumber());
double value = HeapNumber::cast(number)->value();
- CHECK(value >= 0 &&
- value <= std::numeric_limits<size_t>::max());
- return static_cast<size_t>(value);
+ if (value >= 0 &&
+ value <= std::numeric_limits<size_t>::max()) {
+ *result = static_cast<size_t>(value);
+ return true;
+ } else {
+ return false;
+ }
}
}
+// Converts a number into size_t.
+inline size_t NumberToSize(Isolate* isolate,
+ Object* number) {
+ size_t result;
+ bool is_valid = TryNumberToSize(isolate, number, &result);
+ CHECK(is_valid);
+ return result;
+}
+
} } // namespace v8::internal
#endif // V8_V8CONVERSIONS_H_
Index: test/mjsunit/harmony/dataview-accessors.js
diff --git a/test/mjsunit/harmony/dataview-accessors.js
b/test/mjsunit/harmony/dataview-accessors.js
index
7b03da7089721235ce96a85d16afe7b6428513bf..c54f8cc20d056ecdfdc05000af1df8d63c4017b6
100644
--- a/test/mjsunit/harmony/dataview-accessors.js
+++ b/test/mjsunit/harmony/dataview-accessors.js
@@ -114,11 +114,13 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Int8", undefined, 0);
test(isTestingGet, "Int8", 8, -128);
test(isTestingGet, "Int8", 15, -1);
+ test(isTestingGet, "Int8", 1e12, undefined);
test(isTestingGet, "Uint8", 0, 0);
test(isTestingGet, "Uint8", undefined, 0);
test(isTestingGet, "Uint8", 8, 128);
test(isTestingGet, "Uint8", 15, 255);
+ test(isTestingGet, "Uint8", 1e12, undefined);
// Little endian.
test(isTestingGet, "Int16", 0, 256, true);
@@ -126,6 +128,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Int16", 5, 26213, true);
test(isTestingGet, "Int16", 9, -32127, true);
test(isTestingGet, "Int16", 14, -2, true);
+ test(isTestingGet, "Int16", 1e12, undefined, true);
// Big endian.
test(isTestingGet, "Int16", 0, 1);
@@ -133,6 +136,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Int16", 5, 25958);
test(isTestingGet, "Int16", 9, -32382);
test(isTestingGet, "Int16", 14, -257);
+ test(isTestingGet, "Int16", 1e12, undefined);
// Little endian.
test(isTestingGet, "Uint16", 0, 256, true);
@@ -140,6 +144,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Uint16", 5, 26213, true);
test(isTestingGet, "Uint16", 9, 33409, true);
test(isTestingGet, "Uint16", 14, 65534, true);
+ test(isTestingGet, "Uint16", 1e12, undefined, true);
// Big endian.
test(isTestingGet, "Uint16", 0, 1);
@@ -147,6 +152,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Uint16", 5, 25958);
test(isTestingGet, "Uint16", 9, 33154);
test(isTestingGet, "Uint16", 14, 65279);
+ test(isTestingGet, "Uint16", 1e12, undefined);
// Little endian.
test(isTestingGet, "Int32", 0, 50462976, true);
@@ -155,6 +161,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Int32", 6, -2122291354, true);
test(isTestingGet, "Int32", 9, -58490239, true);
test(isTestingGet, "Int32", 12,-66052, true);
+ test(isTestingGet, "Int32", 1e12, undefined, true);
// Big endian.
test(isTestingGet, "Int32", 0, 66051);
@@ -163,6 +170,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Int32", 6, 1718059137);
test(isTestingGet, "Int32", 9, -2122152964);
test(isTestingGet, "Int32", 12, -50462977);
+ test(isTestingGet, "Int32", 1e12, undefined);
// Little endian.
test(isTestingGet, "Uint32", 0, 50462976, true);
@@ -171,6 +179,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Uint32", 6, 2172675942, true);
test(isTestingGet, "Uint32", 9, 4236477057, true);
test(isTestingGet, "Uint32", 12,4294901244, true);
+ test(isTestingGet, "Uint32", 1e12, undefined, true);
// Big endian.
test(isTestingGet, "Uint32", 0, 66051);
@@ -179,6 +188,7 @@ function runIntegerTestCases(isTestingGet, array,
start, length) {
test(isTestingGet, "Uint32", 6, 1718059137);
test(isTestingGet, "Uint32", 9, 2172814332);
test(isTestingGet, "Uint32", 12, 4244504319);
+ test(isTestingGet, "Uint32", 1e12, undefined);
}
function testFloat(isTestingGet, func, array, start, expected) {
@@ -192,6 +202,7 @@ function testFloat(isTestingGet, func, array, start,
expected) {
test(isTestingGet, func, 7, expected, true);
createDataView(array, 10, true, start);
test(isTestingGet, func, 10, expected, true);
+ test(isTestingGet, func, 1e12, undefined, true);
// Big endian.
createDataView(array, 0, false);
@@ -203,6 +214,7 @@ function testFloat(isTestingGet, func, array, start,
expected) {
test(isTestingGet, func, 7, expected, false);
createDataView(array, 10, false);
test(isTestingGet, func, 10, expected, false);
+ test(isTestingGet, func, 1e12, undefined, false);
}
function runFloatTestCases(isTestingGet, start) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
